oran12[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

oran12.dll
Size

4.3MB
MD5

0d25b2809cbfbc7e2629cd4fd1536ec3
SHA1

c94c376ad283798233dbed7a83e0a3081780d47c
SHA256

ca9b29536500f782b12b43c4f480c0353d119259e52d9ec696f68ad3511e94f1
SHA512

c8f68cdf2ffacd1d4835fd04eedcc469cd509e928e13a741a31d72b51af7f3f0166a0cbe582e4d37a66ea190cfdc1a206750e4f39c7bd860853e41a7f4b1a931
SSDEEP

49152:phlb6cUi1gAcF1wQiMVPCQmJttalwMxR4+uaOFwKjjtBvwT:p3DU8gAcF1riqfCtG2VaC1

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
oran12.dll

Files

oran12.dll
.dll windows:5 windows x64 arch:x64

c4745a555106e1353c8dfd945892577f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\ADE\aime_1\oracle\network\bin\oran12.dll.pdb

Imports

oran12

nautab1
nautab2
nautab3
nautab0
ntapl
ntapp
nstrcarray
ntconent
nngxmtf
nngrsmd
osndfn
nasvcs
nasvcnum

oranl12

nlidg8
snlfsek
snldlgln
snlpnt_AddAceToObject
nluihash
snldltrl
snldlgpa
snldlldl
nlrgins
nlrgdel
nlolfmem
nlolgobj
snljgvm
snlfndddir
snlinGetNameInfo
snlgfqh
snlergem
snltmgcs
snlstdtid
nlstdtrm
nldddiagctxinit
nldtwrite
nlddwrite
nlnvcrb
nlnvdeb
nlbamsg
nlepeget
nlpagsp
snlfohd
snlfrd
snlfchd
nlpagbp
nlpagvc
nlepepe
snlfdel
nlemfireg
nlfiini
nlfidst
nlfiwr
nlemgmz
snlfacc
snlpcgun
nlstreturn
nldtlvlalter
snlfnexed
nlvldl
snlfngenv
nlstdget
nlqudeq
nlquenq
snlfnhdir
snlfncdir
nlattinit
nlattctl
nlattdestroy
nlerlpe
nlerbem
nlpagip
nlnvgap
nlnvfbp
nlnvdbp
nlnvuva
nlnvibb
nlnvszs
nlvlloadp
nlvlcr
nlstdini
nlvlsetopt
nlnvcrs
nldscppt
nlnvnnv
nlnvgin
nldsfprintf
nldatxt
nldtshget
nldsinfo
nlnvisa
nlnvibp
nlnvfbt
nlnvgtn
nlnvunm
nlersec
snlinAddrLoopback
nlvlsern
nltmdif
nldntAddAddr
nlstackpush
nlsqGetFirst
nlsqGetFirstKey
nlsqUpdate
nlsqRemove
nlsqInsert
nlsqInit
snlpcgetenvv
nlpcglutabfc
nlnviet
nluits
nlpcatrm
nlstackpop
nlhtbnew
nluiheql
nluihkey
nlhthnewWDup
nlsqIsEmpty
nlcmprini
nlcmprend
nlhthdel
nluicrt
nladtrm
nldntAddHNVB
nladget
nladini_t
nlcmprd
nlcmprc
nlcmprrini
nldthdump
nlddpacketdump
nlhtbget_del
nlhtbput
nlhtbfre
nlhtbseq
snlffls
snlfvfp
snlfwrt
nldswrite
nldsopen
nluifs
snlpcgpid
snlpcdetach
nlergoc
nlerrse
nlerrec
nlhthput
nlhthget
snlfglh
nlercrs
snlfgch
snlfuch
nlfncons
nlerpestk
nldsflush
nlhthskey
nlhthteq
nldtin2
nldtalter
nlnvgta
nlnvuvb
nlnvcpb
snlinFreeAddrInfo
snlinV4mappedToV4
snlinGetAddrInfo
nlrfini
nlrfaddrule
nlrfgetrtlen
nlrfgetrules
nlrfgetrlslen
nlrfgetrlcnt
nlrffilter
nlrfclrrules
nlrfdelrule
nlrftrm
nlhthnew
nlhthseq
nlhthfre
nlhthsize
nlepeinit
nleminz
nlerinit
snlinInit
nldaini
nlifigbl
nlpauseldap
nlpains
nldntkey
nldnteql
nlepeterm
nlpatrm
nlban2
nlpainso
nldsinit
nldsdestroy
nleme2t
nlddGetAlertName
nldsvfprintf
nldtdiaginit
nlddGetFileName
nldtalter_cycle
nldtin2_cycle
nldddestroy
nlddinit
nlddalter
nlpainf
nlpaexpp
nlemMTtrans
nldsMTtrans
nlepeMTtrans
nlnvlet
nlnvlkn
nlersic
nlnvcbp
nlpagup
nlerfec
nlershow
snlfrnm
snlfprh
nlercss
snlftmp
nlergmfi
nlerfic
nlerric
nlerasi
nldntfrewe
snlinDestroy
nlemdestroy
nlerdestroy
nliftgbl
nlrntrm
nldatrm
nldtdestroy
nlse_term_audit
nlpagetldparam
nlpaseq
nlddMTtrans

orancrypt12

naeshaf
naectc
naemd5h
naemd5p
naemd5n
naedpwd_decrypt
naemd5g
naedpwd_encrypt
naegprdm
naeetau
naeetnu
naeetcu
naectn
naeshau
naeshai
naeeti
naeetc
naeetn
naedhp
naecti
naecta
naeeta
naedhpk
naedhsk

oranro12

sncrswntgad

orannzsbb12

ztub64en
ztchf
ztchn
ztucbtx
nzgbllsm_location_shared_memory
nzdsi_init
nzdycs1_start
ztcedchk
ztuc8tx
ztucxt8
ztcedgks
ztcedecb
ztvovg
ztub64d
ztub64gol
nzdye_encrypt
nzdycs0_stop
ztvp522
ztcedec
ztcx
nztSearchNZDefault
nztSetAppDefaultLocation
nztwCloseWallet
nzssGSL_GetSecretLength
nzssGEBV_GetEntryByValue
nzssGS_GetSecret
nzos_OpenWallet
nzdsi_initialize
nzdst_terminate
ztub64e
ztch
ztceenc

orazt12

nzsuppni_nl_init
nzsuppnt_nl_term
nzsupppl_pkivendor_lookup
nzsuppwl_wallet_lookup
nzsuppgp_get_parameter
nzsuppti_trace_init
nzsupptw_trace_write
nzsuppte_trace_exit

oranldap12

nnflboot

oranhost12

nnfhboot

orancds12

nnfdboot

orantns12

nnftboot

oraztkg12

ztk_server_init_context
ztk_error_message
ztk_client_init_context
ztk_free_context
ztk_client_set_name
ztk_client_set_host
ztk_client_send_auth_aso1
ztk_server_recv_auth_aso1_new
ztk_server_recv_auth_aso2
ztk_is_fwd_cred
ztk_client_send_auth_aso2

oracore12

ltmftm
sscoreserverflag
ss_mem_cal
ss_mem_alc
ss_mem_fre
lstclo
lstprintf
sltsmnr
sltsmna
sltrusleep
ldxsto
ldxdts
lpminit
lpmexitprog
lpmterm
slzgetevar
lstup
lstmclo
sltsmxd
sltsmnt
sltsmxi
lcvb24
ltmini
ltmdei
lstmup
sltmgcs
sltskydestroy
sltskyc
lcvb2w
lcvw2b
sltskys
ltmdrv
sltsmxm
lstlo
sltskyg
ltmntm
ltmngid
sltrgatime64
ltmstm
ltmctm
ltmtxp
ltmdif
ss_mem_ral

oranls12

lxmopen
lxmcpen
lxoCmpStr
lxsCnvCase
lxoSchPat
lxmfwtx
lxmfwdx
lxhLangEnv
lxhLaToId
lxovid
lxsCmpStr
lxoCmpNStr
lxlinit
lxinitc
lxsCnvEqui
lxsCnvSimple

oracommon12

sigtu
osnttc
sigunmu
sisvttd

orageneric12

dbgtGrpE_int
dbgtDumpMemWrf_int
dbgtDumpMem_int
dbgtWrf_int
dbgtTrc_int
dbgdChkEventIntV
dbgtCtrl_intEvalCtrlEvent
dbgtCtrl_intEvalCtrlFlags
dbgtCtrl_intEvalTraceFilters
sltln
dbgaDmpCtxParamStructGet
dbgtGrpB_int

orauts

GetLastError
GetProcAddress
CloseHandle
GetCurrentThread
GetModuleHandleA
longjmp
GetCurrentThreadId
LoadLibraryA
FreeLibrary
SetEvent
select
ioctlsocket
socket
connect
send
recv
WSAGetLastError
closesocket
WSAStartup
WSACleanup
CreateEventA
WSADuplicateSocketA
WaitForSingleObject
WSASocketA
WSAEventSelect
ReleaseMutex
CreateMutexA
WSAWaitForMultipleEvents
ResetEvent
WSAGetOverlappedResult
WSARecv
WSACloseEvent
WSACreateEvent
Sleep

ws2_32

ntohs
htons
htonl
getsockname
ntohl
__WSAFDIsSet
gethostname

kernel32

UnhandledExceptionFilter
TerminateProcess
QueryPerformanceCounter
DisableThreadLibraryCalls
DecodePointer
EncodePointer
GetThreadLocale
SetUnhandledExceptionFilter
IsBadReadPtr
GetSystemTimeAsFileTime
GetCurrentProcessId
OpenEventA
CreateFileMappingA
FileTimeToSystemTime
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
FileTimeToLocalFileTime
lstrcpyA
lstrlenA
GetTickCount
HeapFree
LocalFree
LocalAlloc
HeapAlloc
GetProcessHeap
GetModuleFileNameA
GetCurrentProcess
GetComputerNameA
lstrcmpiA
MultiByteToWideChar
GetVersionExA
WideCharToMultiByte
FormatMessageA
OpenFileMappingA
UnmapViewOfFile
MapViewOfFile
ExpandEnvironmentStringsA

advapi32

FreeSid
GetLengthSid
LookupAccountNameA
OpenThreadToken
ConvertSidToStringSidA
CheckTokenMembership
EqualSid
GetUserNameA
GetTokenInformation
OpenProcessToken
LookupAccountSidW
CreateWellKnownSid
AllocateAndInitializeSid
CloseServiceHandle
QueryServiceConfigA
OpenServiceA
OpenSCManagerA
LsaClose
LsaFreeMemory
LsaQueryInformationPolicy
LsaOpenPolicy

user32

CharUpperA
wsprintfA

msvcr100

_gmtime64
atol
memmove
realloc
memchr
qsort
_setjmp
strtok
strtol
signal
wcscat
wcscpy
_snprintf
strstr
wcscmp
atoi
strncmp
printf
strchr
strrchr
vsprintf
isdigit
sprintf
strncpy
feof
free
memcpy
malloc
calloc
memset
_errno
sscanf
_getch
isspace
strtoul
memcmp
_mktime64
wcsncpy
wcslen
strcmp
__iob_func
fputs
_malloc_crt
_initterm
_initterm_e
_getpid
_encoded_null
_amsg_exit
__C_specific_handler
__CppXcptFilter
__clean_type_info_names_internal
_unlock
__dllonexit
_lock
_onexit
__crt_debugger_hook
_memicmp
_open
_fdopen
_localtime64

ole32

CoUninitialize
CoInitialize

oleaut32

VariantClear

Exports

Exports

lnc64bufsz
lnc64tor
lncchk
lncecb
lncgks
lnchtl
lnclth
lncmd4cont
lncmd4finish
lncmd4hash
lncmd4start
lncrto64
lncupw
lncupwe
naba_register
nabagmn
nacomin
nacomrc
nacomrp
nacomsd
nacomsn
nacomsu
nacomtm
naconnect
nactl_internal
nadisc
naecison
naedelt
naeeison
naefips
naeucaa_checksum_init
naeucae_compute_checksum
naeucaf_check_checksum
naeucah_terminate_checksum
naeueab_encryption_init
naeueac_encrypt
naeuead_decrypt
naeueag_terminate_encryption
naeueai_delt
naeueaj_encrypt_chksum
nafrctx
nagblini
nagbltrm
nagetctxinfo
nainfoini
nainit
nam_gbp
nam_gic
nam_gnsp
nam_mal
nam_ngcso
nam_ngmcso
nam_ngso
nam_nscmp
nam_vpw
nams006
nams022
nams029
nams086
nams099
nams173
nams401
nams402
nams403
nams404
nams405
nams406
nams407
nams408
nams409
nams410
nams411
nams412
nams413
nams414
nams415
nams416
nams417
nams420
nams421
nams422
nams424
nams425
nassky
nasssi
nassst
nasvcnum
nasvcs
nasvctx
nauk5akerberos
nauk5z4_initall
nauk5z5_deinitall
nauk5zd_kdestroy
nauk5zi_kinit
nauk5zl_klist
naumbsb_bld_singlebyte
naumrpr
naumver
naun5InitMachineSid
naun5oldDllMain
naungetx509username
naunts
naunts5
nauradius
nautab0
nautab1
nautab2
nautab3
nautabhnum
nautabonum
nautabtnum
nautabznum
nautan1info
nautan2info
nautan3info
nazgat
nazscrlf_client_roles_free
nazsepwd
nazsfcr
nazsfpr
nazsfreename
nazsfsm_fill_shared_memory
nazsfsr
nazsgcnm
nazsgpnm
nazsgsms_get_shared_memory_size
nazsgsnm
nazsgunm
nazslon
nazslsm_location_shared_memory
nazsorlf_other_roles_free
nazsprv
nazsrcf
nazsrfc
nazsrpc
nazsunprv
nicgh
nicghn
niffctxdmpcb
niffqbldmpcb
niffqpsdmpcb
nigcall
nigcui
nigini1
nigini2
nigsui
nigsuiMTtrans
nigtrm
niinhas
niinhdh
niinhrs
niinhstni
niocto
nioqbr
nioqfl
nioqfpsw
nioqrc
nioqrs
nioqsn
nioqts
nioqwa
niotns
niqlce
niqlce1
niqme
niqnam_validate
niqname
niqpsini
nlpspen
nlpucar
nlpucrs
nlpucval
nlpudev
nlpufvp
nlpugck
nlpugtyp
nlpuiterate
nlpunth
nlpunvl
nlpuszs
nlstdal
nlstdap
nlstdat
nlstdgg
nlstdggo
nlstdgo
nlstdltmini
nlstdp1_alter_param_1
nlstdstp
nmpidei_deinit
nmpido_proc_request
nmpifmsg_free_message
nmpifnd_find_match
nmpigetssp
nmpigms_get_message
nmpipms_put_message
nmpiptb_process_table_var
nmpiscm_set_community
nncians
nnciasc
nncicad
nncicnm
nncidei
nncidh
nncidld
nncidnm
nncidns_discover_ns
nncifdb
nncigdd
nncigdn
nnciiad
nnciian
nnciidn
nnciihx
nnciimt
nnciitx
nnciiub
nncilst
nncin2a
nnciqd1
nnciqdn
nnciqnm
nncireg
nncirns
nnciscn
nncisdd
nncisec
nncissz
nncitim
nnciunm
nnciunr
nnciuns
nnciurr
nncivdn
nncpcbf_copy_buffer
nncpcin_maybe_init
nncpdpt_dump_ptable
nncpgwa_init_srvlist
nncpper_push_err
nnfcagmd
nnfciauto
nnfcmmal
nnfcmmcl
nnfcmmde
nnfcmmin
nnfcppbf_prepend_buffer
nnfcraa
nnfcran
nnfcrcl
nnfcrde
nnfcria
nnfcrin
nnfgainit
nnfgans
nnfgdei
nnfgdnm
nnfgfrm
nnfggav
nnfggdd
nnfgqdn
nnfgqnm
nnfgrne
nnfgrnm
nnfgsai
nnfgsdd
nnfgsrsp
nnfgssrv
nnfgune
nnfgurr
nnfgvdn
nnfsdei
nnfsgan_get_adapter_no
nnfsgdn
nnfsgis_get_installed_service
nnfsgsrv_get_service
nnfsn2a
nnfsn2awanm
nngdpns_ping_ns
nngdrdl_read_discovery_list
nngdwdl_write_discovery_list
nngmfcv_format_csecval
nngmisb_init_snmp_buf
nngmlog
nngmlsv_log_stat_value
nngmnvi_nv_iterate
nngmotm_output_time_trace
nngmp2e
nngmpga_get_addr
nngmpgb_get_bool
nngmpgs_get_string
nngmpgu_get_unsigned
nngpdei_deinit_perf
nngpini_init_perf
nngptvr_timer_var_req
nngrard_add_rr
nngrc2n_code2name
nngrcprr_copy_rr
nngrdma_del_match_rr
nngrdty_del_by_type
nngrfma_find_match
nngrfrd_free_rr
nngrfrm_free_list_mems
nngrmrg_merge_rrlists
nngrnrd_new_rr
nngrolf_output_to_domain_file
nngrorl_output_list_trace
nngrsmd
nngrt2n_rrtype2name
nngrtma_type_match
nngrtn2c_type_name2code
nngrxty_iter_next
nngsaeq_addr_equalp
nngscls_close_stream
nngsdei_deinit_streams
nngsfad_free_stream_addr
nngsget_get_stream
nngsgts_get_stream_cache
nngshdi_init_ncro
nngsini_init_streams
nngsiso_stream_openp
nngslis_listen_stream
nngsmad_my_addr
nngsnad_new_stream_addr
nngsrhd_register_handler
nngsrhk_register_housekeeper
nngsxch_extend_cache
nngsxne_xlate_ns_err
nngtcpta_typarr_copy
nngtdei_deinit_msg
nngtfmt_free_msg_type
nngtfoa_free_objarr
nngtgma_get_msg_asn
nngtini_init_msg
nngtmeq_msg_equalp
nngtnms_new_msg
nngtnob_next_obj
nngtnrd_new_rr
nngtnty_new_type
nngtpma_put_msg_asn
nngtrms_release_msg
nngturcp_copy_moddir
nngturin_init_moddir
nngwkfad_free_adtab
nngwkmnw_make_ns_wellknown
nngwkmwt_make_wk_table
nngwkt2l_table_to_list
nngxcad_create_addr
nngxcmp_compare_datbuf
nngxiad_init_addr
nngxian_init_any
nngxidb_init_dname_datbuf
nngxidn_init_dname
nngxihx_init_hex
nngximt_init_meta
nngxitx_init_text
nngxiub_init_ub
nngxmt2f_meta_text2flag
nngxmtf
nngxn2t_stx_name2code
nngxndb_new_datbuf
nngxnmb_dname_belowp
nngxodn_dname_text
nngxqdn_qualify_dname
nngxt2n_stx_code2name
nngxvad_validate_addr
nngxvdt_validate_dtext
nngxwst_datbuf_to_stream
npGetIndex
npGetPS
npgetservice
npgetstring
npgettab
npgettabent
npinit
nplicmo_compare_oid
nplicpo_copy_oid
nplidei_deinitpc
nplifls_flushpc
nplifoi_free_oid
npligbc_get_begin_construct
npligec_get_end_construct
nplignd_enc_end_p
nplignl_get_null
nplignm_get_num
npligof_get_octetstr_offset
npligoi_get_oid
npligos_get_octetstr
npligpk_get_peek
npligs5_get_ia5str
npligsf_get_ia5str_offset
npligun_get_unum
npliini_initpc
nplio2t_oid2text
nplipnl_put_null
nplipnm_put_num
nplipoi_put_oid
nplipos_put_octetstr
nplippc_put_pop_construct
nplips5_put_ia5str
nplipuc_put_push_construct
nplipun_put_unum
nplit2o_text2oid
nprecv
npredirect
nprefuse
nprfactlstlen
nprfaddrule
nprfdelrule
nprffilter
nprfgetrlcnt
nprfgetrules
nprfini
nprfsetrules
nprftrm
npsesstab
nptab
nptabent
npterm
nrguea
nricall
nrigbd
nrigbi
nrigbni
nrigrt
nrtnsvrs
nruipt
nruitc
nrulcl
nrulcs
nrulge
nrulgn
nruloe
nrulol
nrutec
nrutei
nruter
nruvers
ns2serr
nsDHandoff
nsaccept
nsaccwi
nsadopt
nsanswer
nsba_get_list
nsba_register
nsballoc
nsbeqdh
nsbequeath
nsbfree
nsbifl
nsbiget
nsbiini
nsbinject
nsbiput
nsbitrm
nsbnt
nsboverhead
nsbrecv
nsbsend
nsc2addr
nscall
nsclose
nscontrol
nscxdsave
nscxdsfree
nscxdssave
nsdhHandoff
nsdhctx_close
nsdhctx_establish
nsdhctx_inuse
nsdhctx_respond
nsdhpurge
nsdisc
nsdo
nsdofprecv
nsdofpsend
nsdosb
nsdosend
nsdoswitch_to_fp
nsdowt4snd
nsdread
nsdrecv
nsdsend
nsdwrite
nserr2pe
nserrbd
nsevmute
nsevmute_wtimeout
nsevpost
nsevpreg
nsevpunreg
nsevreg
nsevrgs
nsevrgs_full
nsevsig
nsevunreg
nsevunregevt
nsevwait
nsevwtsg
nsexport

Sections

.text
Size: 4.0MB - Virtual size: 4.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 262KB - Virtual size: 261KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 31KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.trace
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 752B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

c4745a555106e1353c8dfd945892577f

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

oran12

oranl12

orancrypt12

oranro12

orannzsbb12

orazt12

oranldap12

oranhost12

orancds12

orantns12

oraztkg12

oracore12

oranls12

oracommon12

orageneric12

orauts

ws2_32

kernel32

advapi32

user32

msvcr100

ole32

oleaut32

Exports

Exports

Sections

.text Size: 4.0MB - Virtual size: 4.0MB

.rdata Size: 262KB - Virtual size: 261KB

.data Size: 4KB - Virtual size: 5KB

.pdata Size: 31KB - Virtual size: 31KB

.trace Size: 5KB - Virtual size: 4KB

.rsrc Size: 1024B - Virtual size: 752B

.reloc Size: 20KB - Virtual size: 20KB

.text
Size: 4.0MB - Virtual size: 4.0MB

.rdata
Size: 262KB - Virtual size: 261KB

.data
Size: 4KB - Virtual size: 5KB

.pdata
Size: 31KB - Virtual size: 31KB

.trace
Size: 5KB - Virtual size: 4KB

.rsrc
Size: 1024B - Virtual size: 752B

.reloc
Size: 20KB - Virtual size: 20KB