aadtb[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

aadtb.dll
Size

1.2MB
MD5

b577d9b7629f8e21afbc4d16378bbf45
SHA1

7b9f13dbf8009b67f30b7dd9e7e90e4c33aed563
SHA256

08443cf9cfe5f460fdb38c9e2e44e46c59653960b010489203169cb14868ccc2
SHA512

abd30f84fd14d2b48786f2dce11f8346b862353c94b22befcf1b66e71a9dfad927e2a014d58dc6b9ed112e8f23de80bcaaa9c56501ac5701c2690ba6362dc53c
SSDEEP

12288:Q6WBbEM5A8MhRheOzRgoHPg+PfFgQNDMEjYEkrNmd7EEFLkZjDfpOK94SZLc22cw:Q6uwhRU8Lvg+PNrjteDfwWLc22c3qXd

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
aadtb.dll

Files

aadtb.dll
.dll windows:10 windows x86 arch:x86

50e041041528759fea4895ff61eb9fc8

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

aadtb.pdb

Imports

cryptngc

NgcDecryptWithSymmetricPopKey
NgcSignWithSymmetricPopKey
NgcImportSymmetricPopKey
NgcEnumContainers

certenroll

ord51
ord50

dsreg

DsrFreeJoinInfoEx
DsrGetJoinInfoEx

oleaut32

VariantClear
SysFreeString
SysAllocString
VariantInit

crypt32

CryptSignAndEncodeCertificate
CryptExportPublicKeyInfo
CryptProtectData
CryptUnprotectData
CertGetCertificateContextProperty
CryptAcquireCertificatePrivateKey
CryptEncodeObject
CertSetCertificateContextProperty
CryptHashCertificate
CertFreeCertificateContext
CertCreateCertificateContext
CertDuplicateCertificateContext
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertFindCertificateInStore
CertCloseStore
CertOpenStore

ncrypt

NCryptOpenStorageProvider
NCryptOpenKey
NCryptFinalizeKey
NCryptSetProperty
NCryptCreatePersistedKey
NCryptDeleteKey
NCryptFreeObject
NCryptSignHash

ntdll

RtlAllocateHeap
RtlFreeHeap
RtlNtStatusToDosError
RtlGetDeviceFamilyInfoEnum
RtlImageNtHeader

gdi32

DeleteObject
GetObjectW

api-ms-win-core-synch-l1-1-0

WaitForSingleObject
ReleaseMutex
ReleaseSemaphore
CreateSemaphoreExW
OpenSemaphoreW
AcquireSRWLockExclusive
ReleaseSRWLockShared
CreateMutexExW
SetEvent
ResetEvent
CreateEventExW
AcquireSRWLockShared
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSectionEx
ReleaseSRWLockExclusive
WaitForSingleObjectEx

api-ms-win-eventing-provider-l1-1-0

EventRegister
EventUnregister
EventWriteTransfer
EventSetInformation
EventActivityIdControl

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
RaiseException
GetLastError
SetLastError
SetUnhandledExceptionFilter

api-ms-win-core-heap-l1-1-0

HeapFree
HeapReAlloc
HeapAlloc
GetProcessHeap
HeapSize

api-ms-win-core-winrt-string-l1-1-0

WindowsGetStringRawBuffer
WindowsDuplicateString
HSTRING_UserMarshal
WindowsStringHasEmbeddedNull
HSTRING_UserSize
WindowsIsStringEmpty
HSTRING_UserFree
HSTRING_UserUnmarshal
WindowsGetStringLen
WindowsCompareStringOrdinal
WindowsConcatString
WindowsDeleteString
WindowsCreateString
WindowsCreateStringReference

api-ms-win-core-winrt-error-l1-1-0

RoOriginateError
RoOriginateErrorW

api-ms-win-core-com-l1-1-0

CoMarshalInterThreadInterfaceInStream
CoCreateFreeThreadedMarshaler
CoTaskMemFree
CoGetObjectContext
CoCreateGuid
CoCreateInstance
StringFromGUID2
CoTaskMemAlloc
CoGetCallContext
CoGetInterfaceAndReleaseStream
CoGetApartmentType

api-ms-win-security-cryptoapi-l1-1-0

CryptCreateHash
CryptGetProvParam
CryptReleaseContext
CryptGetHashParam
CryptHashData
CryptDestroyHash
CryptAcquireContextW

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcessId
GetCurrentThreadId
OpenProcessToken
SetThreadStackGuarantee
TerminateProcess
CreateProcessW
GetCurrentProcess

api-ms-win-core-sysinfo-l1-1-0

GetSystemDirectoryW
GetSystemTimeAsFileTime
GetSystemInfo
GetTickCount

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
IsDebuggerPresent
DebugBreak

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceEnableFlags
TraceMessage
RegisterTraceGuidsW
GetTraceEnableLevel
UnregisterTraceGuids
GetTraceLoggerHandle

api-ms-win-core-util-l1-1-0

DecodePointer
EncodePointer

api-ms-win-core-synch-l1-2-0

InitOnceBeginInitialize
InitOnceComplete
InitOnceExecuteOnce
Sleep
SleepConditionVariableSRW
WakeAllConditionVariable

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-security-base-l1-1-0

GetLengthSid
GetTokenInformation
CopySid
DuplicateTokenEx

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW

api-ms-win-shcore-stream-winrt-l1-1-0

CreateStreamOverRandomAccessStream

rpcrt4

CStdStubBuffer_DebugServerQueryInterface
CStdStubBuffer_IsIIDSupported
IUnknown_QueryInterface_Proxy
CStdStubBuffer_AddRef
NdrCStdStubBuffer2_Release
CStdStubBuffer_DebugServerRelease
NdrOleAllocate
IUnknown_Release_Proxy
NdrOleFree
NdrDllGetClassObject
NdrDllCanUnloadNow
IUnknown_AddRef_Proxy
CStdStubBuffer_Invoke
NdrStubCall2
NdrStubForwardingFunction

api-ms-win-core-com-midlproxystub-l1-1-0

NdrProxyForwardingFunction5
CStdStubBuffer2_QueryInterface
ObjectStublessClient7
CStdStubBuffer2_Disconnect
CStdStubBuffer2_CountRefs
ObjectStublessClient6
ObjectStublessClient8
ObjectStublessClient9
ObjectStublessClient10
NdrProxyForwardingFunction3
CStdStubBuffer2_Connect
NdrProxyForwardingFunction4

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
MultiByteToWideChar

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-registry-l1-1-0

RegDeleteTreeW
RegEnumValueW
RegEnumKeyExW
RegSetValueExW
RegGetValueW
RegOpenKeyExW
RegCloseKey
RegCreateKeyExW

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW
GetModuleFileNameA
GetModuleHandleExW
GetProcAddress

api-ms-win-core-threadpool-l1-2-0

WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
SetThreadpoolTimer
CreateThreadpoolTimer

sspicli

LsaDeregisterLogonProcess
LsaConnectUntrusted
LsaFreeReturnBuffer
LsaCallAuthenticationPackage
LsaLookupAuthenticationPackage

api-ms-win-core-registry-l1-1-1

RegDeleteKeyValueW

wincorlib

?CreateException@Exception@Platform@@SAP$AAV12@HP$AAVString@2@@Z
?get@Message@Exception@Platform@@Q$AAAP$AAVString@3@XZ
?Allocate@Heap@Details@Platform@@SAPAXI@Z
??0Delegate@Platform@@Q$AAA@XZ
?ReCreateException@Exception@Platform@@SAP$AAV12@H@Z
?EventSourceGetTargetArrayEvent@Details@Platform@@YGPAXPAXIPBXPA_J@Z
??0ClassNotRegisteredException@Platform@@Q$AAA@P$AAVString@1@@Z
??0COMException@Platform@@Q$AAA@HP$AAVString@1@@Z
?EventSourceGetTargetArraySize@Details@Platform@@YGIPAX@Z
?EventSourceGetTargetArray@Details@Platform@@YGPAXPAXPAUEventLock@12@@Z
?EventSourceInitialize@Details@Platform@@YGXPAPAX@Z
?EventSourceAdd@Details@Platform@@YG?AVEventRegistrationToken@Foundation@Windows@@PAPAXPAUEventLock@12@P$AAVDelegate@2@@Z
?EventSourceRemove@Details@Platform@@YGXPAPAXPAUEventLock@12@VEventRegistrationToken@Foundation@Windows@@@Z
?EventSourceUninitialize@Details@Platform@@YGXPAPAX@Z
?GetIBoxArrayVtable@Details@Platform@@YGPAXPAX@Z
?CreateException@Exception@Platform@@SAP$AAV12@H@Z
?__abi_ObjectToString@__abi_details@@YGP$AAVString@Platform@@P$AAVObject@3@_N@Z
?__abi_make_type_id@@YGP$AAVType@Platform@@ABU__abi_type_descriptor@@@Z
?GetIBoxVtable@Details@Platform@@YGPAXPAX@Z
?CreateValue@Details@Platform@@YGP$AAVObject@2@W4TypeCode@2@PBX@Z
?__abi_cast_Object_to_String@__abi_details@@YGP$AAVString@Platform@@_NP$AAVObject@3@@Z
??0FailureException@Platform@@Q$AAA@XZ
??0OutOfMemoryException@Platform@@Q$AAA@XZ
?__abi_cast_String_to_Object@__abi_details@@YGP$AAVObject@Platform@@P$AAVString@3@@Z
??0Object@Platform@@Q$AAA@XZ
?AllocateException@Heap@Details@Platform@@SAPAXII@Z
??0ChangedStateException@Platform@@Q$AAA@XZ
?ReleaseTarget@ControlBlock@Details@Platform@@AAEXXZ
?AlignedFree@Heap@Details@Platform@@SAXPAX@Z
?Free@Heap@Details@Platform@@SAXPAX@Z
?Allocate@Heap@Details@Platform@@SAPAXII@Z
?__abi_WinRTraiseNotImplementedException@@YGXXZ
?__abi_WinRTraiseInvalidCastException@@YGXXZ
?__abi_WinRTraiseNullReferenceException@@YGXXZ
?__abi_WinRTraiseOperationCanceledException@@YGXXZ
?__abi_WinRTraiseFailureException@@YGXXZ
?__abi_WinRTraiseAccessDeniedException@@YGXXZ
?__abi_WinRTraiseOutOfMemoryException@@YGXXZ
?__abi_WinRTraiseInvalidArgumentException@@YGXXZ
?__abi_WinRTraiseOutOfBoundsException@@YGXXZ
?__abi_WinRTraiseChangedStateException@@YGXXZ
?__abi_WinRTraiseClassNotRegisteredException@@YGXXZ
?__abi_WinRTraiseWrongThreadException@@YGXXZ
?__abi_WinRTraiseDisconnectedException@@YGXXZ
?__abi_WinRTraiseObjectDisposedException@@YGXXZ
?__abi_WinRTraiseCOMException@@YGXJ@Z
?InitializeData@Details@Platform@@YGJH@Z
?UninitializeData@Details@Platform@@YGXH@Z
?__abi_FailFast@@YGXXZ
?ReCreateFromException@Details@Platform@@YGJP$AAVException@2@@Z
?GetIidsFn@@YGJHPAKPBU__s_GUID@@PAPAVGuid@Platform@@@Z
?GetActivationFactoryByPCWSTR@@YGJPAXAAVGuid@Platform@@PAPAX@Z
?GetTypeCode@Type@Platform@@SA?AW4TypeCode@2@P$AAV12@@Z
??0OutOfBoundsException@Platform@@Q$AAA@XZ

msvcrt

_wcsdup
memmove_s
memcpy_s
vswprintf_s
_vscwprintf
_purecall
__ExceptionPtrDestroy
__ExceptionPtrCopy
__ExceptionPtrCurrentException
__ExceptionPtrCreate
?terminate@@YAXXZ
wcsstr
??_V@YAXPAX@Z
_wcsicmp
??1exception@@UAE@XZ
??0exception@@QAE@XZ
??0exception@@QAE@ABV0@@Z
__ExceptionPtrRethrow
wcsnlen
wcschr
??2@YAPAXIHPBDH@Z
wcsrchr
?name@type_info@@QBEPBDXZ
__RTtypeid
malloc
swprintf_s
_wcslwr_s
wcspbrk
iswspace
time
wcscspn
wcsspn
_wcsicoll
wcsncmp
_vsnwprintf
_vsnprintf_s
_wcsnicmp
_wcsupr_s
difftime
?what@exception@@UBEPBDXZ
??0exception@@QAE@ABQBD@Z
__ExceptionPtrCopyException
__ExceptionPtrAssign
__CxxFrameHandler3
_wtol
_wtoi
??0exception@@QAE@ABQBDH@Z
memset
wcslen
_CxxThrowException
_lock
_unlock
__dllonexit
_onexit
??1type_info@@UAE@XZ
_XcptFilter
_amsg_exit
_initterm
realloc
_except_handler4_common
memcmp
_callnewh
memcpy
memmove
_vsnprintf
wcscat_s
wcsncpy_s
_gmtime64_s
wcsftime
free
??3@YAXPAX@Z
__ExceptionPtrToBool
__RTDynamicCast

api-ms-win-shcore-taskpool-l1-1-0

SHTaskPoolQueueTask

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-memory-l1-1-0

VirtualQuery
VirtualProtect
VirtualAlloc

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-security-capability-l1-1-0

CapabilityCheck

Exports

Exports

AADTBAcquireToken
AADTBAcquireTokenEx
AADTBFreeString
AADTBFreeStruct
DllCanUnloadNow
DllGetActivationFactory
DllGetClassObject

Sections

.text
Size: 791KB - Virtual size: 791KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.orpc
Size: 512B - Virtual size: 200B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 228KB - Virtual size: 228KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 70KB - Virtual size: 73KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.didat
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 93KB - Virtual size: 92KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 75KB - Virtual size: 75KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

50e041041528759fea4895ff61eb9fc8

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

cryptngc

certenroll

dsreg

oleaut32

crypt32

ncrypt

ntdll

gdi32

api-ms-win-core-synch-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-security-cryptoapi-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-heap-l2-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-shcore-stream-winrt-l1-1-0

rpcrt4

api-ms-win-core-com-midlproxystub-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-threadpool-l1-2-0

sspicli

api-ms-win-core-registry-l1-1-1

wincorlib

msvcrt

api-ms-win-shcore-taskpool-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-security-capability-l1-1-0

Exports

Exports

Sections

.text Size: 791KB - Virtual size: 791KB

.orpc Size: 512B - Virtual size: 200B

.rdata Size: 228KB - Virtual size: 228KB

.data Size: 70KB - Virtual size: 73KB

.didat Size: 512B - Virtual size: 8B

.rsrc Size: 93KB - Virtual size: 92KB

.reloc Size: 75KB - Virtual size: 75KB

.text
Size: 791KB - Virtual size: 791KB

.orpc
Size: 512B - Virtual size: 200B

.rdata
Size: 228KB - Virtual size: 228KB

.data
Size: 70KB - Virtual size: 73KB

.didat
Size: 512B - Virtual size: 8B

.rsrc
Size: 93KB - Virtual size: 92KB

.reloc
Size: 75KB - Virtual size: 75KB