catsrv[.]dll | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

catsrv.dll
Size

374KB
MD5

09425e2dcf4f6c392c5ce642f6cd5462
SHA1

962348a85b08994fd61a264bc1bd7c900070217e
SHA256

eee29752073c2e731be0c017b4f74458e28cabfca5a788349bcc3924477b1379
SHA512

ed717c51ac18e6b1bde48e8a27f60a35e0b6c152c0602450f72b2fab8d330b46bcb9f6a3aa9d4b158993e3950f0c28c0af1299e55f5c957d65e34de5b9707178
SSDEEP

6144:r03p889q8vRsVUw44TIPmEJGYY/ve9ta9kyIczdPTcNOjR0HOGA5HdUf6Mc664iM:oHFRJsea9k4JT56HOlGZh64

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
catsrv.dll

Files

catsrv.dll
.dll regsvr32 windows:10 windows x86 arch:x86

4f5efd20adc8e59bce2ccdfcfaaba07f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

catsrv.pdb

Imports

msvcrt

_wrename
memcmp
swscanf
_local_unwind4
_vsnwprintf
__dllonexit
memcpy
_unlock
iswdigit
__CxxFrameHandler3
_lock
wcstol
wcschr
_except_handler4_common
wcstok
wcsrchr
_i64tow_s
_itow
memmove
_initterm
wcsspn
?terminate@@YAXXZ
_onexit
free
_errno
_beginthreadex
_wcsicmp
_purecall
wcscpy_s
realloc
wcscat_s
_wcsnicmp
_XcptFilter
_waccess
_vsnprintf
_wcsdup
_wtoi
wcstoul
toupper
malloc
_amsg_exit
memset

clbcatq

DowngradeAPL
ComPlusPartitionsEnabled
SetupOpen
OpenComponentLibraryEx
CreateComponentLibraryEx
GetSimpleTableDispenser
CLSIDFromStringByBitness
SetupSave
ServerGetApplicationType

mfcsubs

??0CString@@QAE@PBG@Z
??0CString@@QAE@GH@Z
??YCString@@QAEABV0@PBG@Z
?Right@CString@@QBE?AV1@H@Z
??H@YG?AVCString@@ABV0@PBG@Z
??H@YG?AVCString@@ABV0@0@Z
??$ConstructElements@VCString@@@@YGXPAVCString@@H@Z
??$DestructElements@VCString@@@@YGXPAVCString@@H@Z
?Left@CString@@QBE?AV1@H@Z
??4CString@@QAEABV0@ABV0@@Z
?ReverseFind@CString@@QBEHG@Z
??0CString@@QAE@XZ
??4CString@@QAEABV0@PBG@Z
??1CString@@QAE@XZ
?Create@CPlex@@SGPAU1@AAPAU1@II@Z
??0CString@@QAE@ABV0@@Z
??0CString@@QAE@PBD@Z
??H@YG?AVCString@@PBGABV0@@Z
?Find@CString@@QBEHPBG@Z
?FreeDataChain@CPlex@@QAEXXZ
?MakeUpper@CString@@QAEXXZ
?Mid@CString@@QBE?AV1@H@Z

ntdll

WinSqmSetDWORD
DbgUserBreakPoint

oleaut32

RegisterTypeLi
SysStringLen
SysAllocString
LoadTypeLi
LoadRegTypeLi
LoadTypeLibEx
SysFreeString
VarUI4FromStr
QueryPathOfRegTypeLi

api-ms-win-core-synch-l1-1-0

InitializeCriticalSectionAndSpinCount
WaitForSingleObject
SetEvent
ResetEvent
InitializeCriticalSection
ReleaseSRWLockExclusive
EnterCriticalSection
AcquireSRWLockExclusive
CreateSemaphoreExW
ReleaseSemaphore
CreateEventW
LeaveCriticalSection
DeleteCriticalSection
OpenMutexW
ReleaseMutex

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle

api-ms-win-core-libraryloader-l1-2-0

SizeofResource
GetModuleHandleW
LoadLibraryExW
FindResourceExW
GetModuleFileNameW
LockResource
FreeLibrary
FreeLibraryAndExitThread
LoadResource
LoadStringW
DisableThreadLibraryCalls
GetProcAddress

api-ms-win-core-string-l2-1-0

CharNextW
IsCharAlphaNumericW
CharPrevW
CharLowerW

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetLastError

api-ms-win-core-registry-l1-1-0

RegDeleteTreeW
RegCreateKeyExW
RegDeleteValueW
RegSetValueExW
RegQueryInfoKeyW
RegFlushKey
RegOpenKeyExW
RegQueryValueExW
RegEnumKeyExW
RegCloseKey
RegEnumValueW

api-ms-win-core-memory-l1-1-0

VirtualProtect
OpenFileMappingW
VirtualQuery
MapViewOfFile
VirtualAlloc
CreateFileMappingW
UnmapViewOfFile

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemDirectoryW
GetLocalTime
GetSystemTimeAsFileTime
GetSystemInfo

api-ms-win-core-string-l1-1-0

CompareStringW
WideCharToMultiByte
MultiByteToWideChar

api-ms-win-core-heap-l1-1-0

HeapDestroy

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW

api-ms-win-core-processthreads-l1-1-0

GetCurrentThread
GetExitCodeProcess
GetCurrentThreadId
GetCurrentProcessId
TerminateProcess
CreateProcessAsUserW
OpenProcessToken
GetCurrentProcess
SetThreadToken
OpenThreadToken
CreateProcessW

api-ms-win-core-localization-l1-2-0

IsValidLocale
SetThreadLocale
GetSystemDefaultLCID
FormatMessageW
GetThreadLocale
GetUserDefaultLangID

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
DebugBreak
OutputDebugStringW

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-core-file-l2-1-2

CopyFileW

api-ms-win-core-file-l1-1-0

ReadFile
GetShortPathNameW
GetFileSizeEx
FindNextFileW
FindClose
GetFileSize
FindFirstFileW
CreateDirectoryW
RemoveDirectoryW
WriteFile
SetFilePointer
CreateFileW
DeleteFileW
GetLongPathNameW
GetFileType
GetFullPathNameW
SetFileAttributesW
SetFileTime
FileTimeToLocalFileTime
GetFileAttributesExW
GetTempFileNameW
GetFileAttributesW

api-ms-win-core-file-l2-1-0

MoveFileExW

api-ms-win-security-base-l1-1-0

RevertToSelf
InitializeSecurityDescriptor
IsValidSecurityDescriptor
DestroyPrivateObjectSecurity
CreatePrivateObjectSecurityEx
FreeSid
IsWellKnownSid
AllocateAndInitializeSid
CopySid
GetLengthSid
InitializeAcl
AddAccessAllowedAce
GetSidSubAuthorityCount
GetSidLengthRequired
AddAce
SetSecurityDescriptorDacl
GetSidSubAuthority
GetTokenInformation
GetSecurityDescriptorLength
CheckTokenMembership
GetSecurityDescriptorDacl
DuplicateTokenEx

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW

api-ms-win-core-synch-l1-2-0

Sleep
SleepConditionVariableSRW
WakeAllConditionVariable

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalReAlloc
LocalFree

api-ms-win-core-version-l1-1-0

VerQueryValueW

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW
lstrcpyW
lstrcpynW

api-ms-win-core-heap-obsolete-l1-1-0

LocalSize

api-ms-win-core-privateprofile-l1-1-0

WritePrivateProfileStringW
GetPrivateProfileStringW

kernel32

DosDateTimeToFileTime
FileTimeToDosDateTime
GetComputerNameW
MoveFileW
GetModuleFileNameA

api-ms-win-core-shlwapi-legacy-l1-1-0

PathStripPathW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Exports

Exports

?CancelWriteICR@@YGJPAPAUIComponentRecords@@@Z
?GetReadICR@@YGJHPAPAUIComponentRecords@@@Z
?GetWriteICR@@YGJPAPAUIComponentRecords@@@Z
?ReleaseReadICR@@YGXPAPAUIComponentRecords@@@Z
?SaveWriteICR@@YGJPAPAUIComponentRecords@@@Z
CreateComponentLibraryTS
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
GetAppImport
GetCatalogCRMClerk
OpenComponentLibraryTS

Sections

.text
Size: 343KB - Virtual size: 342KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 456B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

4f5efd20adc8e59bce2ccdfcfaaba07f

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

clbcatq

mfcsubs

ntdll

oleaut32

api-ms-win-core-synch-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-core-file-l2-1-2

api-ms-win-core-file-l1-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-version-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-privateprofile-l1-1-0

kernel32

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Exports

Exports

Sections

.text Size: 343KB - Virtual size: 342KB

.data Size: 512B - Virtual size: 11KB

.idata Size: 8KB - Virtual size: 8KB

.didat Size: 512B - Virtual size: 456B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 19KB - Virtual size: 19KB

.text
Size: 343KB - Virtual size: 342KB

.data
Size: 512B - Virtual size: 11KB

.idata
Size: 8KB - Virtual size: 8KB

.didat
Size: 512B - Virtual size: 456B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 19KB - Virtual size: 19KB