PhoneOm[.]dll | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

PhoneOm.dll
Size

342KB
MD5

b5bc58a2948b8251f78c9d3647e5b090
SHA1

c393e61be268819d0ae6829f36c8e8cc4b42487a
SHA256

25f71ec5d447b3c3a1b28a8b2ea617d51a2fe2c0898269c00dad869c55d28b6e
SHA512

3c1b4eb903118b94bd486bf9871a7285ae2f563481320305affd1be045d14739fb6baf2fced5aff460bad4ebb29dcf11dd81b5dab71155b4d313e45451161e24
SSDEEP

3072:M4ZjdcvKqHH9y4P6k+1Wn0d42kJRPIEYU/+Jv6VsTdQWM7A3qdsp506/t5eYy/Ea:M44v1Z+dqjWs/0yL5U3XHLGU1dol

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
PhoneOm.dll

Files

PhoneOm.dll
.dll windows:10 windows x86 arch:x86

38aa1b023b3681d9c3f7beea666d771e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

PhoneOm.pdb

Imports

msvcrt

_except_handler4_common
_initterm
_amsg_exit
_XcptFilter
_callnewh
memcpy
realloc
__CxxFrameHandler3
_vsnwprintf_s
_errno
memmove_s
wcsstr
_vsnwprintf
wcsncpy_s
toupper
wcstoul
wcschr
_onexit
__dllonexit
_lock
memcmp
malloc
free
memmove
memcpy_s
_unlock
_purecall
_ftol2
memset

phoneutil

GetCountryCodeFromOperatorNum
GetRpcClientUser
VoipAppIdentityUtilities_GetApplicationByAumid
VoipAppIdentityUtilities_GetApplicationResourceResolverFromApplication
CreateBrandingInfo
MapPlusToDialingPrefix
Phone_FmtText_NonDialerFormat

api-ms-win-core-threadpool-legacy-l1-1-0

UnregisterWaitEx

api-ms-win-core-kernel32-legacy-l1-1-0

RegisterWaitForSingleObject

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW

api-ms-win-core-heap-obsolete-l1-1-0

LocalAlloc
LocalFree

api-ms-win-core-url-l1-1-0

UrlEscapeW

oleaut32

VarUI4FromStr

api-ms-win-core-libraryloader-l1-2-0

GetModuleFileNameA
GetModuleHandleExW
SizeofResource
GetModuleFileNameW
LoadLibraryExW
DisableThreadLibraryCalls
FreeLibrary
GetModuleHandleW
LoadResource
FindResourceExW
GetProcAddress

api-ms-win-core-winrt-string-l1-1-0

WindowsGetStringRawBuffer
WindowsDeleteString
WindowsStringHasEmbeddedNull
WindowsCreateStringReference
WindowsDuplicateString
WindowsCreateString
WindowsIsStringEmpty

api-ms-win-core-synch-l1-1-0

InitializeSRWLock
ReleaseSRWLockShared
AcquireSRWLockExclusive
OpenEventW
ReleaseMutex
CreateSemaphoreExW
ReleaseSemaphore
InitializeCriticalSectionEx
DeleteCriticalSection
EnterCriticalSection
OpenSemaphoreW
AcquireSRWLockShared
WaitForSingleObjectEx
CreateMutexExW
ReleaseSRWLockExclusive
LeaveCriticalSection
CreateEventW
InitializeCriticalSection
WaitForSingleObject
SetEvent

api-ms-win-core-com-l1-1-0

CoCreateFreeThreadedMarshaler
CoIncrementMTAUsage
CoTaskMemRealloc
CoReleaseMarshalData
CoGetCallerTID
CreateStreamOnHGlobal
StringFromGUID2
CoMarshalInterface
CoTaskMemFree
CoTaskMemAlloc
CoGetApartmentType
CoCreateInstance
CoDecrementMTAUsage

api-ms-win-core-registry-l1-1-0

RegQueryInfoKeyW
RegCloseKey
RegSetValueExW
RegQueryValueExW
RegEnumKeyExW
RegGetValueW
RegOpenKeyExW
RegCreateKeyExW
RegDeleteValueW
RegNotifyChangeKeyValue

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventSetInformation
EventUnregister
EventProviderEnabled
EventRegister

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-string-l2-1-0

CharNextW

api-ms-win-core-winrt-error-l1-1-0

RoOriginateErrorW
RoTransformError
RoOriginateError
SetRestrictedErrorInfo
GetRestrictedErrorInfo

api-ms-win-core-string-l1-1-0

MultiByteToWideChar

api-ms-win-core-errorhandling-l1-1-0

GetLastError
RaiseException
SetUnhandledExceptionFilter
SetLastError
UnhandledExceptionFilter

rpcrt4

RpcBindingSetAuthInfoExW
RpcStringBindingComposeW
RpcExceptionFilter
RpcStringFreeW
NdrClientCall4
RpcBindingFree
RpcBindingFromStringBindingW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-file-l1-1-0

CompareFileTime
CreateFileW
GetFileSizeEx

api-ms-win-core-localization-l1-2-0

FormatMessageW
GetLocaleInfoW

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcessId
GetCurrentProcess
OpenProcessToken
TerminateProcess
OpenThreadToken
GetCurrentThread
SetThreadToken
GetCurrentThreadId

api-ms-win-core-heap-l1-1-0

HeapFree
HeapAlloc
GetProcessHeap

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
DebugBreak
OutputDebugStringA
OutputDebugStringW

api-ms-win-core-threadpool-l1-2-0

SetThreadpoolWait
CreateThreadpoolWait
CloseThreadpoolWait
CreateThreadpoolTimer
CloseThreadpoolTimer
SetThreadpoolTimer
WaitForThreadpoolWorkCallbacks
CloseThreadpoolWork
SubmitThreadpoolWork
FreeLibraryWhenCallbackReturns
WaitForThreadpoolWaitCallbacks
CreateThreadpoolWork
WaitForThreadpoolTimerCallbacks

api-ms-win-service-management-l1-1-0

OpenSCManagerW
OpenServiceW
CloseServiceHandle

api-ms-win-service-winsvc-l1-1-0

QueryServiceStatus

api-ms-win-security-base-l1-1-0

GetTokenInformation
RevertToSelf

api-ms-win-core-winrt-l1-1-0

RoInitialize
RoUninitialize
RoGetActivationFactory

api-ms-win-core-winrt-error-l1-1-1

RoReportFailedDelegate
IsErrorPropagationEnabled
RoGetMatchingRestrictedErrorInfo

api-ms-win-core-synch-l1-2-0

Sleep
WakeAllConditionVariable
SleepConditionVariableSRW
InitOnceExecuteOnce

api-ms-win-core-com-l1-1-1

RoGetAgileReference

api-ms-win-core-processthreads-l1-1-1

OpenProcess

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

ntdll

NtQueryInformationToken
RtlInitUnicodeString
RtlAllocateHeap
RtlFreeHeap
RtlCompareUnicodeString
NtQueryWnfStateData
RtlGetDeviceFamilyInfoEnum
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlSubscribeWnfStateChangeNotification
RtlNtStatusToDosErrorNoTeb

combase

ord157
ord90

api-ms-win-security-accesshlpr-l1-1-0

QueryTransientObjectSecurityDescriptor
FreeTransientObjectSecurityDescriptor

api-ms-win-shcore-taskpool-l1-1-0

SHTaskPoolQueueTask
SHTaskPoolAllowThreadReuse

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Exports

Exports

CreatePhoneRpcClient
DTMFModeListener_CreateInstance
DllCanUnloadNow
DllGetActivationFactory
DllGetClassObject
PhoneAPIInitialize
PhoneAPIUninitialize
PhoneAcceptIncoming
PhoneAcceptIncomingEx
PhoneAcceptUpgradingRealTimeTextCall
PhoneAcceptVideo
PhoneActivateVisualVoicemail
PhoneAddListener
PhoneAddVideo
PhoneCallCapabilityAccessCheck
PhoneCallVoicemail
PhoneCancelNonSeamlessUpgrade
PhoneClearIdleCallsFromController
PhoneConference
PhoneConfirmNonSeamlessUpgrade
PhoneDeactivateVisualVoicemail
PhoneDial
PhoneDowngradeFromRealTimeTextCall
PhoneDropAccept
PhoneDropAcceptEx
PhoneDropVideo
PhoneEnableBluetoothHandsFree
PhoneEnd
PhoneExecutePendingDtmfWait
PhoneExitEmergencyMode
PhoneExplicitCallTransfer
PhoneFinishRecording
PhoneFlash
PhoneFormatPhoneNumber
PhoneFreeCallInfo
PhoneFreeRecordingApplicationList
PhoneGetActiveAppByType
PhoneGetActiveSpamFilterApp
PhoneGetAggregateBranding
PhoneGetAppListByType
PhoneGetAssistedDialNumber
PhoneGetAssistedDialSetting
PhoneGetAvailableActions
PhoneGetBlockPrivateNumbersSetting
PhoneGetBlockUnknownNumbersSetting
PhoneGetBluetoothHandsFreeState
PhoneGetBrandingText
PhoneGetCallCounts
PhoneGetCallInfo
PhoneGetCallState
PhoneGetCallsInConference
PhoneGetCellularApiComponentInfo
PhoneGetDefaultOutgoingLine
PhoneGetDeviceRealTimeTextAutomaticEnabled
PhoneGetDeviceRealTimeTextEnabled
PhoneGetDeviceSupportsVideoCalling
PhoneGetElapsedTime
PhoneGetLinePublicInfo
PhoneGetLinePublicSettings
PhoneGetLines
PhoneGetLinesEx
PhoneGetMute
PhoneGetNetworkAlert
PhoneGetPreferredCallUpgradeLine
PhoneGetProviderLineInfo
PhoneGetProviderLineLockInfo
PhoneGetProviderLineServiceInfo
PhoneGetProviderLineVvmConnectivityState
PhoneGetRecordingApplications
PhoneGetShouldMuteKeypad
PhoneGetSpeaker
PhoneGetState
PhoneGetVideoCapabilities
PhoneGetVideoCapabilitySharingSettings
PhoneGetVisualVoicemailAccessor
PhoneGetVisualVoicemailBranding
PhoneGetVoicemailNumberAndOverrideInfo
PhoneGetWiredHeadsetState
PhoneHandleAppUninstallByType
PhoneInitiateCallUpgrade
PhoneInitiateRetrievalOfCIDRestrictionSupport
PhoneIsActionAvailable
PhoneIsDtmfWaitPending
PhoneIsEmergencyNumber
PhoneIsImmediateDialString
PhoneIsPhoneNumberInBlockList
PhoneIsVideoCallingEnabled
PhoneIsVideoCallingSwitchActionable
PhoneIsVoiceRoamingRestrictionActive
PhoneIsVvmSetupComplete
PhoneMapIddPrefixToPlus
PhoneMapPlusToDialingPrefix
PhoneMarkDataAffinityNotificationSeen
PhoneMarkVvmSetupComplete
PhoneModifyCallForwarding
PhoneModifyCallerIdSetting
PhoneModifyVideoCallingSetting
PhoneModifyVoicemailAddress
PhoneNotificationHelper_CreateInstance
PhonePauseRecording
PhonePrivate
PhonePublicDial
PhoneRefreshCallForwardingState
PhoneRefreshEcbmState
PhoneRefreshVideoCallingSetting
PhoneReinitiateCallerIdLookup
PhoneRejectIncoming
PhoneRejectVideo
PhoneRemoveListener
PhoneSaveVvmPassword
PhoneSendDTMF
PhoneSendDTMFStart
PhoneSendDTMFStop
PhoneSendRealTimeTextData
PhoneSetActiveAppByType
PhoneSetActiveSpamFilterApp
PhoneSetBlockPrivateNumbersSetting
PhoneSetBlockUnknownNumbersSetting
PhoneSetCallOriginInfo
PhoneSetCallerAsActiveAppByType
PhoneSetFilterAppBlockList
PhoneSetForegroundLine
PhoneSetHold
PhoneSetLocalVideo
PhoneSetMute
PhoneSetPreferredCallUpgradeLine
PhoneSetRecordingApplication
PhoneSetReminderInfo
PhoneSetSpeaker
PhoneSetVideoCapabilitySharingSettings
PhoneSetVideoPaused
PhoneSpamFilteringEnabled
PhoneStartRecording
PhoneStartVisualVoicemailSync
PhoneSupportsLocalVvmConfig
PhoneSwap
PhoneUpgradeToRealTimeTextCall
PhoneWaitForAPIReady
RetrieveSystemNotificationCallbackPayload
ShouldPlayCallWaitingTone

Sections

.text
Size: 311KB - Virtual size: 310KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

38aa1b023b3681d9c3f7beea666d771e

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

phoneutil

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-url-l1-1-0

oleaut32

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

rpcrt4

api-ms-win-core-handle-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-service-management-l1-1-0

api-ms-win-service-winsvc-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-synch-l1-2-0

api-ms-win-core-com-l1-1-1

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-profile-l1-1-0

ntdll

combase

api-ms-win-security-accesshlpr-l1-1-0

api-ms-win-shcore-taskpool-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Exports

Exports

Sections

.text Size: 311KB - Virtual size: 310KB

.data Size: 512B - Virtual size: 2KB

.idata Size: 8KB - Virtual size: 8KB

.didat Size: 512B - Virtual size: 32B

.rsrc Size: 1024B - Virtual size: 1008B

.reloc Size: 20KB - Virtual size: 19KB

.text
Size: 311KB - Virtual size: 310KB

.data
Size: 512B - Virtual size: 2KB

.idata
Size: 8KB - Virtual size: 8KB

.didat
Size: 512B - Virtual size: 32B

.rsrc
Size: 1024B - Virtual size: 1008B

.reloc
Size: 20KB - Virtual size: 19KB