bcrypt[.]dll | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

bcrypt.dll
Size

95KB
MD5

0971a56f462273cd81b76613f51b5580
SHA1

03441d19b0212ad3c50ca924425185e8d1c518bc
SHA256

85d1979ff9c67865693ba050470dabfb39b3ccb105fba755bf5626b9bbd450ef
SHA512

336a1c312851884b8c0f94a206a9a7ea767207e0dc1103aa9f14c5e2c136cfe21a61f28b3d7741b766cf77902cbe3a3218f1a365997d2b5d09c2e421d3b63e92
SSDEEP

1536:mqqoNE6ZR0pFsEDW5ehRbRpLQ6b7OO0NX9oU2E4KriB0bwd43OPGzc:rjNE6IXsEiehJr3OO0NtoZE4KrTw+eug

Score

1^/10

Malware Config

Signatures

Files

bcrypt.dll
.dll windows:10 windows x86 arch:x86

b6a247bebbe359a2c85c40344e34ab03

Code Sign

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03/02/2023, 00:05

Not After

01/02/2024, 00:05

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

8f:29:5e:1f:4b:16:bf:01:04:92:46:0d:1a:91:d6:00:04:da:35:46:5a:1b:07:57:52:60:15:f9:c1:bf:e0:33
Signer

Actual PE Digest

8f:29:5e:1f:4b:16:bf:01:04:92:46:0d:1a:91:d6:00:04:da:35:46:5a:1b:07:57:52:60:15:f9:c1:bf:e0:33

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

bcrypt.pdb

Imports

ntdll

RtlInitUnicodeString
NtClose
NtQueryValueKey
RtlAllocateHeap
NtQueryInformationProcess
RtlDeleteCriticalSection
RtlDeleteResource
RtlAcquireResourceShared
RtlReleaseResource
RtlEnterCriticalSection
RtlInitializeResource
RtlAcquireResourceExclusive
RtlInitializeCriticalSection
RtlLeaveCriticalSection
NtOpenKey
NtDeviceIoControlFile
NtOpenFile
RtlNtStatusToDosError
RtlCompareUnicodeString
_wcsicmp
RtlImageNtHeader
RtlUnwind
EtwTraceMessage
memcpy
RtlUnhandledExceptionFilter
NtTerminateProcess
EtwEventRegister
EtwEventUnregister
EtwUnregisterTraceGuids
EtwGetTraceEnableFlags
LdrDisableThreadCalloutsForDll
EtwGetTraceLoggerHandle
EtwGetTraceEnableLevel
EtwRegisterTraceGuidsW
EtwEventWrite
RtlFreeHeap
wcsncmp
_alloca_probe
memcmp
memset

api-ms-win-core-libraryloader-l1-2-0

GetProcAddress
FreeLibrary
LoadLibraryExW
GetModuleFileNameW
GetModuleHandleExW

api-ms-win-core-errorhandling-l1-1-0

GetLastError

api-ms-win-core-processthreads-l1-1-0

SetThreadStackGuarantee
GetCurrentProcess
OpenProcessToken

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-security-base-l1-1-0

PrivilegeCheck

api-ms-win-core-synch-l1-1-0

EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
CreateEventW
InitializeSRWLock
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
AcquireSRWLockShared
ReleaseSRWLockShared

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventSetInformation
EventRegister
EventUnregister

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW

api-ms-win-core-sysinfo-l1-1-0

GetSystemInfo
GetSystemDirectoryW

api-ms-win-core-threadpool-private-l1-1-0

RegisterWaitForSingleObjectEx

api-ms-win-core-threadpool-legacy-l1-1-0

UnregisterWaitEx

api-ms-win-core-memory-l1-1-0

VirtualProtect
VirtualQuery
VirtualAlloc

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Exports

Exports

BCryptAddContextFunction
BCryptAddContextFunctionProvider
BCryptCloseAlgorithmProvider
BCryptConfigureContext
BCryptConfigureContextFunction
BCryptCreateContext
BCryptCreateHash
BCryptCreateMultiHash
BCryptDecrypt
BCryptDeleteContext
BCryptDeriveKey
BCryptDeriveKeyCapi
BCryptDeriveKeyPBKDF2
BCryptDestroyHash
BCryptDestroyKey
BCryptDestroySecret
BCryptDuplicateHash
BCryptDuplicateKey
BCryptEncrypt
BCryptEnumAlgorithms
BCryptEnumContextFunctionProviders
BCryptEnumContextFunctions
BCryptEnumContexts
BCryptEnumProviders
BCryptEnumRegisteredProviders
BCryptExportKey
BCryptFinalizeKeyPair
BCryptFinishHash
BCryptFreeBuffer
BCryptGenRandom
BCryptGenerateKeyPair
BCryptGenerateSymmetricKey
BCryptGetFipsAlgorithmMode
BCryptGetProperty
BCryptHash
BCryptHashData
BCryptImportKey
BCryptImportKeyPair
BCryptKeyDerivation
BCryptOpenAlgorithmProvider
BCryptProcessMultiOperations
BCryptQueryContextConfiguration
BCryptQueryContextFunctionConfiguration
BCryptQueryContextFunctionProperty
BCryptQueryProviderRegistration
BCryptRegisterConfigChangeNotify
BCryptRegisterProvider
BCryptRemoveContextFunction
BCryptRemoveContextFunctionProvider
BCryptResolveProviders
BCryptSecretAgreement
BCryptSetAuditingInterface
BCryptSetContextFunctionProperty
BCryptSetProperty
BCryptSignHash
BCryptUnregisterConfigChangeNotify
BCryptUnregisterProvider
BCryptVerifySignature

Sections

.text
Size: 73KB - Virtual size: 73KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 36B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b6a247bebbe359a2c85c40344e34ab03

Code Sign

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

8f:29:5e:1f:4b:16:bf:01:04:92:46:0d:1a:91:d6:00:04:da:35:46:5a:1b:07:57:52:60:15:f9:c1:bf:e0:33Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntdll

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-threadpool-private-l1-1-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Exports

Exports

Sections

.text Size: 73KB - Virtual size: 73KB

.data Size: 512B - Virtual size: 1KB

.idata Size: 3KB - Virtual size: 3KB

.didat Size: 512B - Virtual size: 36B

.rsrc Size: 3KB - Virtual size: 2KB

.reloc Size: 3KB - Virtual size: 2KB

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

8f:29:5e:1f:4b:16:bf:01:04:92:46:0d:1a:91:d6:00:04:da:35:46:5a:1b:07:57:52:60:15:f9:c1:bf:e0:33
Signer

.text
Size: 73KB - Virtual size: 73KB

.data
Size: 512B - Virtual size: 1KB

.idata
Size: 3KB - Virtual size: 3KB

.didat
Size: 512B - Virtual size: 36B

.rsrc
Size: 3KB - Virtual size: 2KB

.reloc
Size: 3KB - Virtual size: 2KB