dbgeng[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

dbgeng.dll
Size

2.4MB
MD5

8e8c92dd50f6b34907813afdc0c8f7dd
SHA1

95b28a077bc256eda1692ed4c5f1e8d75d1cbc3b
SHA256

ef7ff7cfaeb5d930eb96b5f81bd60ee23692e24a31650ca72b25164d20f2dae4
SHA512

4734cc2f037c0dc4804eaf0c294b761a6373c00a3b4bf03b68c9e1243d45e179a11ce561a90c5fac9fed4fb4092ee6893a3b39360df3dfe0ec974e67d3273208
SSDEEP

49152:G/r9Wl5z8zHhkSlHRaAR+hGVULq9PrYY5zSzCilH8fi/9W23CiueO+ueO+NDg:L5ghkSlHRaADVGyPrYazSGilH8l23Dg

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
dbgeng.dll

Files

dbgeng.dll
.dll windows:6 windows x86 arch:x86

33f9b5ad284054071220a44c0d849b27

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

dbgeng.pdb

Imports

msvcrt

wcsstr
swscanf
_wtoi
ctime
_wcsdup
time
_wcsicmp
iswalnum
wcschr
iswdigit
towlower
_purecall
memset
??2@YAPAXI@Z
??3@YAXPAX@Z
iswspace
_wgetenv
malloc
_vsnwprintf
memcpy
wcsncmp
memmove
free
_isatty
_write
_lseeki64
_fileno
__pioinfo
__badioinfo
wctomb
_itoa
_snprintf
isleadbyte
?terminate@@YAXXZ
_onexit
_lock
__dllonexit
_unlock
_amsg_exit
_initterm
_XcptFilter
_iob
_vsnprintf
_errno
__CxxFrameHandler
isspace
ftell
fseek
fgetws
feof
_wcslwr
wcstoul
atol
iswprint
strrchr
printf
_strlwr
towupper
qsort
iswalpha
iswupper
calloc
getenv
atoi
strncmp
sscanf
_wctime
_wsetlocale
isprint
iswxdigit
_strnicmp
_wcsnicmp
_wcsupr
realloc
fgets
_stricmp
fprintf
strchr
_wfopen
__doserrno
strstr
wcsncpy
_snwprintf
strncat
_spawnlp
ldexp
frexp
_itow
_memicmp
_wtol
??1type_info@@UAE@XZ
fclose
wcsrchr
strtoul

dbghelp

SymGetModuleInfoW64
SymSearchW
ImagehlpApiVersionEx
ImageNtHeader
SymSetOptions
SymGetLineFromNameW64
SymGetFileLineOffsets64
SymFunctionTableAccess64
SymGetSourceFileTokenW
SymAddSymbolW
SymDeleteSymbolW
SymFromIndexW
SymGetTypeInfo
SymEnumSymbolsW
SymGetOptions
SymLoadModule64
SymAddSymbol
SymLoadModuleExW
SymGetSourceVarFromTokenW
SymMatchStringW
SymFromTokenW
SymFromAddrW
SymEnumLinesW
SymSetSearchPathW
SymGetHomeDirectoryW
SymEnumTypesW
SymEnumTypesByNameW
SymEnumSymbolsForAddrW
SymPrevW
SymNextW
SymSetScopeFromAddr
SymSetScopeFromIndex
SymGetLineFromAddrW64
StackWalk64
SymGetSourceFileFromTokenW
SymGetUnwindInfo
SymEnumSourceLinesW
SymMatchFileNameW
SymInitializeW
SymRegisterCallbackW64
SymRegisterFunctionEntryCallback64
SymCleanup
ImageDirectoryEntryToDataEx
ImageRvaToVa
dbghelp
SymFindFileInPathW
FindExecutableImageExW
SymUnloadModule64
SymGetTypeInfoEx
SymMatchStringA
GetTimestampForLoadedLibrary
SymFromNameW
SymGetTypeFromNameW
DbgHelpCreateUserDump

version

VerQueryValueA
GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

advapi32

RegDeleteValueW
CheckTokenMembership
GetUserNameW
AllocateAndInitializeSid
GetLengthSid
InitializeAcl
AddAccessDeniedAce
AddAccessAllowedAce
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
FreeSid
OpenProcessToken
AdjustTokenPrivileges
RegCreateKeyExW
RegQueryValueExA
RegOpenKeyExA
RegQueryValueExW
RegConnectRegistryW
RegOpenKeyExW
RegEnumValueW
RegCloseKey

kernel32

EnterCriticalSection
GetSystemDirectoryA
GetCommState
SetupComm
QueryPerformanceFrequency
WaitCommEvent
GetCommMask
SetCommMask
GetCommTimeouts
SetCommTimeouts
LocalAlloc
CreateDirectoryW
ContinueDebugEvent
WaitForDebugEvent
CreateRemoteThread
GetProcessTimes
SetThreadContext
VirtualFreeEx
VirtualAllocEx
VirtualProtectEx
WriteProcessMemory
GetExitCodeProcess
SetEnvironmentVariableA
DebugActiveProcess
IsProcessorFeaturePresent
OpenProcess
FindFirstFileA
FileTimeToDosDateTime
GetTempPathA
GetTempFileNameA
GetFileTime
GetTempFileNameW
FileTimeToLocalFileTime
CreateEventA
GetSystemTime
SystemTimeToFileTime
GetThreadSelectorEntry
TerminateThread
GetModuleHandleA
lstrcmpiW
HeapCreate
VirtualQueryEx
GetThreadContext
CreateFileMappingA
HeapReAlloc
HeapDestroy
GetVersionExA
ReadProcessMemory
GetThreadPriority
GetThreadTimes
ResumeThread
SuspendThread
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
QueryPerformanceCounter
RtlUnwind
VirtualProtect
GetProcessHeap
HeapFree
HeapAlloc
GetPriorityClass
CreateProcessW
CreateThread
GetLocalTime
CreateNamedPipeA
CreateFileA
WaitForMultipleObjects
GetOverlappedResult
CancelIo
GetDriveTypeW
GetPrivateProfileStringW
DeviceIoControl
FindResourceW
SizeofResource
LoadResource
LockResource
GetSystemDirectoryW
FileTimeToSystemTime
LocalFree
GetFileAttributesW
GetCommandLineW
GetFileSize
CreateFileMappingW
MapViewOfFile
ConvertThreadToFiber
CreateFiber
DeleteFiber
SwitchToFiber
LoadLibraryW
SearchPathW
SetErrorMode
LoadLibraryExW
FreeLibrary
RaiseException
SetLastError
GetModuleFileNameA
UnmapViewOfFile
DeleteFileA
DeleteFileW
GetComputerNameW
CopyFileW
ResetEvent
GetCommModemStatus
ClearCommError
WriteFile
LoadLibraryA
CreateFileW
IsBadWritePtr
GetProcAddress
GetModuleFileNameW
VirtualAlloc
VirtualFree
GetFileSizeEx
SetFilePointer
ReadFile
GetFullPathNameW
InterlockedCompareExchange
GetSystemInfo
GetVersionExW
CreateEventW
InitializeCriticalSection
InterlockedExchange
GetEnvironmentVariableW
SetEnvironmentVariableW
GetCurrentProcessId
InterlockedExchangeAdd
DisableThreadLibraryCalls
DeleteCriticalSection
ReleaseSemaphore
InterlockedDecrement
GetModuleHandleW
FindFirstFileW
FindClose
CreateSemaphoreA
GetCurrentProcess
GetCurrentThread
DuplicateHandle
Sleep
IsBadReadPtr
IsBadCodePtr
InterlockedIncrement
FormatMessageW
CloseHandle
GetSystemTimeAsFileTime
QueueUserAPC
WaitForSingleObjectEx
WaitForSingleObject
SetEvent
OutputDebugStringA
GetTickCount
WideCharToMultiByte
SleepEx
MultiByteToWideChar
SetCommState
LeaveCriticalSection
GetCurrentThreadId
GetTempPathW
ExpandEnvironmentStringsW
GetLastError
DebugBreak

ntdll

NtSetTimerResolution

Exports

Exports

DebugConnect
DebugConnectWide
DebugCreate

Sections

.text
Size: 2.2MB - Virtual size: 2.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 80KB - Virtual size: 283KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 147KB - Virtual size: 147KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

33f9b5ad284054071220a44c0d849b27

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

dbghelp

version

advapi32

kernel32

ntdll

Exports

Exports

Sections

.text Size: 2.2MB - Virtual size: 2.2MB

.data Size: 80KB - Virtual size: 283KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 147KB - Virtual size: 147KB

.text
Size: 2.2MB - Virtual size: 2.2MB

.data
Size: 80KB - Virtual size: 283KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 147KB - Virtual size: 147KB