FirewallAPI[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

FirewallAPI.dll
Size

389KB
MD5

1c51ad91a68e7356e3e89ce746464058
SHA1

6b2a97c80bd8967605fd416f5fda90155465dbf5
SHA256

2dc5e6ee61991dc85058a5b91b8ae099dd637ef02de59941ef66707dc6780d4a
SHA512

37d181df9e8ff0e0548e20df490c1919bc3be92f314c9d7799da4c3cd36b7b2d2e24060ed7d19787e8179ec351fed0f7ddb7248ffd583f01b74a6bab523ead1c
SSDEEP

12288:Kl1mqA9/3uvsnD4YyQe/O+mcmUEK5kpg/JUKG27grajmm:KXmqAxysnDa3/O+mcmUEK5kpg/JUKG2F

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
FirewallAPI.dll

Files

FirewallAPI.dll
.dll regsvr32 windows:10 windows x86 arch:x86

acf9109abe5f7c9bf23adb34afe55f22

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

FirewallAPI.pdb

Imports

msvcrt

_amsg_exit
_XcptFilter
_initterm
_callnewh
_wcsnicmp
qsort
?terminate@@YAXXZ
??1type_info@@UAE@XZ
memcmp
_vsnwprintf
wcstok
_wcsicmp
_purecall
wcscpy_s
realloc
wcscat_s
_CxxThrowException
__CxxFrameHandler3
memcpy
malloc
free
_except_handler4_common
memset

rpcrt4

CStdStubBuffer_DebugServerQueryInterface
RpcEpResolveBinding
RpcAsyncCancelCall
RpcBindingSetAuthInfoExW
CStdStubBuffer_IsIIDSupported
RpcAsyncCompleteCall
RpcBindingFree
RpcStringBindingComposeW
RpcBindingFromStringBindingW
IUnknown_QueryInterface_Proxy
RpcBindingSetOption
NdrClientCall4
RpcAsyncInitializeHandle
RpcStringFreeW
UuidToStringW
UuidCreate
CStdStubBuffer_DebugServerRelease
IUnknown_AddRef_Proxy
NdrAsyncClientCall2
NdrCStdStubBuffer2_Release
NdrDllUnregisterProxy
NdrDllRegisterProxy
NdrDllGetClassObject
NdrDllCanUnloadNow
CStdStubBuffer_Invoke
NdrStubForwardingFunction
NdrStubCall2
NdrOleAllocate
IUnknown_Release_Proxy
CStdStubBuffer_AddRef
NdrOleFree

api-ms-win-core-com-midlproxystub-l1-1-0

ObjectStublessClient18
ObjectStublessClient20
ObjectStublessClient15
ObjectStublessClient23
NdrProxyForwardingFunction6
CStdStubBuffer2_Disconnect
ObjectStublessClient7
ObjectStublessClient13
ObjectStublessClient22
CStdStubBuffer2_QueryInterface
ObjectStublessClient19
CStdStubBuffer2_CountRefs
ObjectStublessClient14
NdrProxyForwardingFunction4
NdrProxyForwardingFunction5
ObjectStublessClient8
ObjectStublessClient9
ObjectStublessClient26
ObjectStublessClient17
ObjectStublessClient10
ObjectStublessClient12
ObjectStublessClient25
ObjectStublessClient16
ObjectStublessClient21
NdrProxyForwardingFunction3
ObjectStublessClient24
CStdStubBuffer2_Connect
ObjectStublessClient11

api-ms-win-core-synch-l1-1-0

WaitForSingleObject
LeaveCriticalSection
AcquireSRWLockShared
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
TryAcquireSRWLockExclusive
EnterCriticalSection
DeleteCriticalSection
CreateEventW
InitializeSRWLock
SetEvent
ReleaseSRWLockShared
InitializeCriticalSection

api-ms-win-core-libraryloader-l1-2-0

GetProcAddress
FreeLibrary
LoadLibraryExW
DisableThreadLibraryCalls
GetModuleFileNameW
FindResourceExW
SizeofResource
LoadResource
GetModuleHandleW

api-ms-win-core-string-l2-1-0

CharPrevW
CharNextW

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
GetLastError
SetUnhandledExceptionFilter

api-ms-win-core-registry-l1-1-0

RegEnumKeyExW
RegEnumValueW
RegRestoreKeyW
RegOpenCurrentUser
RegOpenKeyExW
RegDeleteTreeW
RegQueryValueExW
RegQueryInfoKeyW
RegDeleteValueW
RegSetValueExW
RegCloseKey
RegCreateKeyExW
RegSaveKeyExW

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW
lstrcpynW

api-ms-win-core-memory-l1-1-0

VirtualQuery
VirtualAlloc
VirtualProtect

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetSystemInfo
GetTickCount
GetTickCount64

api-ms-win-core-string-l1-1-0

CompareStringW
CompareStringOrdinal
MultiByteToWideChar

ntdll

RtlIpv4AddressToStringW
EtwEventWrite
RtlEqualSid
RtlCapabilityCheck
RtlInitUnicodeString
RtlGetCurrentServiceSessionId
RtlIpv6StringToAddressW
RtlIpv4StringToAddressW
EtwTraceMessage
EtwEventUnregister
EtwEventRegister
EtwUnregisterTraceGuids
EtwRegisterTraceGuidsW
EtwGetTraceEnableFlags
EtwGetTraceEnableLevel
EtwGetTraceLoggerHandle
RtlIpv6AddressToStringW

api-ms-win-core-heap-l1-1-0

HeapFree
HeapAlloc
HeapDestroy
GetProcessHeap

api-ms-win-security-base-l1-1-0

AccessCheck
DuplicateTokenEx
CheckTokenMembership
RevertToSelf
GetLengthSid
IsValidSid
CreateWellKnownSid

api-ms-win-core-version-l1-1-0

GetFileVersionInfoSizeExW
GetFileVersionInfoExW
VerQueryValueW

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-localization-l1-2-0

FormatMessageW
GetThreadUILanguage
GetSystemDefaultLangID

api-ms-win-core-processthreads-l1-1-0

GetCurrentThread
TerminateProcess
SetThreadToken
GetCurrentProcessId
GetCurrentProcess
OpenThreadToken
GetCurrentThreadId
OpenProcessToken

api-ms-win-core-threadpool-l1-2-0

CreateThreadpoolTimer
CloseThreadpoolWait
WaitForThreadpoolWaitCallbacks
CreateThreadpoolWait
SetThreadpoolWaitEx
CloseThreadpoolTimer
WaitForThreadpoolTimerCallbacks
SetThreadpoolTimer
SetThreadpoolWait

api-ms-win-security-base-l1-2-0

CheckTokenCapability

api-ms-win-eventing-provider-l1-1-0

EventUnregister
EventRegister
EventWriteTransfer
EventSetInformation

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

dnsapi

DnsRemoveNrptRule
DnsGetNrptRuleNamesList
DnsSetNrptRules
DnsFreeNrptRuleNamesList

api-ms-win-eventing-classicprovider-l1-1-0

TraceMessage

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
FWAddAuthenticationSet
FWAddConnectionSecurityRule
FWAddCryptoSet
FWAddDynamicKeywordAddress0
FWAddDynamicKeywordAddress_Int
FWAddFirewallRule
FWAddFirewallRuleWithRemoteDynamicKeywordAddresses
FWAddMainModeRule
FWAddSecurityRealm
FWChangeNotificationCreate
FWChangeNotificationDestroy
FWChangeTransactionalState
FWClosePolicyStore
FWCopyAuthenticationSet
FWCopyConnectionSecurityRule
FWCopyCryptoSet
FWCopyDynamicKeywordRuleLink
FWCopyFirewallRule
FWDeleteAllAuthenticationSets
FWDeleteAllConnectionSecurityRules
FWDeleteAllCryptoSets
FWDeleteAllFirewallRules
FWDeleteAllMainModeRules
FWDeleteAuthenticationSet
FWDeleteConnectionSecurityRule
FWDeleteCryptoSet
FWDeleteDynamicKeywordAddress0
FWDeleteDynamicKeywordAddress_Int
FWDeleteFirewallRule
FWDeleteMainModeRule
FWDeletePhase1SAs
FWDeletePhase2SAs
FWDeleteSecurityRealm
FWDiagGetAppList
FWEnumAdapters
FWEnumAuthenticationSets
FWEnumConnectionSecurityRules
FWEnumCryptoSets
FWEnumDynamicKeywordAddressById0
FWEnumDynamicKeywordAddressesByType0
FWEnumDynamicKeywordAddresses_Int
FWEnumDynamicKeywordRuleLinkById
FWEnumDynamicKeywordRuleLinksByStore
FWEnumFirewallRules
FWEnumMainModeRules
FWEnumNetworks
FWEnumPhase1SAs
FWEnumPhase2SAs
FWEnumProducts
FWExportPolicy
FWFreeAdapters
FWFreeAuthenticationSet
FWFreeAuthenticationSets
FWFreeAuthenticationSetsByHandle
FWFreeConnectionSecurityRule
FWFreeConnectionSecurityRules
FWFreeConnectionSecurityRulesByHandle
FWFreeCryptoSet
FWFreeCryptoSets
FWFreeCryptoSetsByHandle
FWFreeDiagAppList
FWFreeDynamicKeywordAddressData0
FWFreeDynamicKeywordRuleLinks
FWFreeFirewallRule
FWFreeFirewallRules
FWFreeFirewallRulesByHandle
FWFreeFirewallRulesOld
FWFreeMainModeRule
FWFreeMainModeRules
FWFreeMainModeRulesByHandle
FWFreeNetworks
FWFreePhase1SAs
FWFreePhase2SAs
FWFreeProducts
FWGetConfig
FWGetConfig2
FWGetGlobalConfig
FWGetGlobalConfig2
FWGetGlobalConfig3
FWGetIndicatedPortInUse
FWImportPolicy
FWIndicatePortInUse
FWIndicateProxyForUrl
FWIndicateProxyResolverRefresh
FWIndicateTupleInUse
FWIndicateTupleInUse2
FWIsTargetAProxy
FWOpenPolicyStore
FWQueryAuthenticationSets
FWQueryConnectionSecurityRules
FWQueryCryptoSets
FWQueryFirewallRules
FWQueryIsolationType
FWQueryMainModeRules
FWRegisterProduct
FWResetIndicatedPortInUse
FWResetIndicatedTupleInUse
FWRestoreDefaults
FWRestoreGPODefaults
FWRevertTransaction
FWSelectConSecRule
FWSetAuthenticationSet
FWSetConfig
FWSetConnectionSecurityRule
FWSetCryptoSet
FWSetFirewallRule
FWSetFirewallRuleWithRemoteDynamicKeywordAddresses
FWSetGlobalConfig
FWSetGlobalConfig2
FWSetMainModeRule
FWStatusMessageFromStatusCode
FWUnregisterProduct
FWUpdateDynamicKeywordAddress0
FWUpdateDynamicKeywordAddress_Int
FWVerifyAuthenticationSet
FWVerifyAuthenticationSetQuery
FWVerifyConnectionSecurityRule
FWVerifyConnectionSecurityRuleQuery
FWVerifyCryptoSet
FWVerifyCryptoSetQuery
FWVerifyFirewallRule
FWVerifyFirewallRuleQuery
FWVerifyMainModeRule
FWVerifyMainModeRuleQuery
FwActivate
FwAlloc
FwAllocCheckSize
FwAllowedProgramsAdd
FwAllowedProgramsDelete
FwAnalyzeFirewallPolicy
FwAnalyzeFirewallPolicyOnProfile
FwApiHelperFree
FwApiHelperInit
FwBstrToInterfaceTypes
FwBstrToPorts
FwConvertIPv6SubNetToRange
FwCopyAuthSet
FwCopyMainModeRule
FwCopyWFAddressesContents
FwEmptyWFAddresses
FwFree
FwFreeAddresses
FwFreePorts
FwGetAddressesAsString
FwGetCurrentProfile
FwGetVersionField
FwIcmpSettingsEnum
FwIcmpSettingsSet
FwInterfaceTypesToBstr
FwIsGroupPolicyEnforced
FwIsRemoteManagementEnabled
FwLogSettingsSet
FwMergeAddresses
FwMulticastBroadcastResponsesEnum
FwMulticastBroadcastResponsesSet
FwNotificationsEnum
FwNotificationsSet
FwOpModesEnum
FwOpModesSet
FwPortOpeningsAdd
FwPortOpeningsDelete
FwProfileTypeCurrentGet
FwProfileTypeGet
FwRestoreDefaults
FwServicesEnum
FwServicesSet
FwStringToAddresses
FwStringToPorts
GetDisabledInterfaces
IcfAddrChangeNotificationCreate
IcfChangeNotificationCreate
IcfChangeNotificationDestroy
IcfConnect
IcfDisconnect
IcfFreeDynamicFwPorts
IcfFreeProfile
IcfFreeTickets
IcfGetCurrentProfileType
IcfGetDynamicFwPorts
IcfGetOperationalMode
IcfGetProfile
IcfGetTickets
IcfIsPortAllowed
IcfOpenDynamicFwPortWithoutSocket
IcfSubNetsGetScope
IsFirewallInCoExistanceMode
IsPortOrICMPAllowed
NetworkIsolationAddAllowEnterpriseIdRule
NetworkIsolationCreateAllInterfacesContainer
NetworkIsolationCreateAppContainer
NetworkIsolationCreateAppContainerLoopbackRules
NetworkIsolationCreateContainer
NetworkIsolationCreateInterfaceContainer
NetworkIsolationDeleteAllInterfacesContainer
NetworkIsolationDeleteAllowEnterpriseIdRule
NetworkIsolationDeleteAppContainer
NetworkIsolationDeleteAppContainerLoopbackRules
NetworkIsolationDeleteContainer
NetworkIsolationDeleteInterfaceContainer
NetworkIsolationDeleteUserAppContainers
NetworkIsolationDiagnoseConnectFailure
NetworkIsolationDiagnoseConnectFailureAndGetInfo
NetworkIsolationDiagnoseListen
NetworkIsolationDiagnoseSocketCreation
NetworkIsolationEnumAppContainers
NetworkIsolationEnumerateAppContainerRules
NetworkIsolationFreeAppContainers
NetworkIsolationGetAppContainer
NetworkIsolationGetAppContainerConfig
NetworkIsolationGetEnterpriseId
NetworkIsolationGetEnterpriseIdAsync
NetworkIsolationGetEnterpriseIdClose
NetworkIsolationRegisterForAppContainerChanges
NetworkIsolationSetAppContainerConfig
NetworkIsolationSetupAppContainerBinaries
NetworkIsolationUnregisterForAppContainerChanges

Sections

.text
Size: 329KB - Virtual size: 328KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1024B - Virtual size: 836B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 25KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

acf9109abe5f7c9bf23adb34afe55f22

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

rpcrt4

api-ms-win-core-com-midlproxystub-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-string-l1-1-0

ntdll

api-ms-win-core-heap-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-version-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-security-base-l1-2-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-profile-l1-1-0

dnsapi

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-apiquery-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Exports

Exports

Sections

.text Size: 329KB - Virtual size: 328KB

.data Size: 2KB - Virtual size: 2KB

.idata Size: 8KB - Virtual size: 7KB

.didat Size: 1024B - Virtual size: 836B

.rsrc Size: 25KB - Virtual size: 25KB

.reloc Size: 23KB - Virtual size: 22KB

.text
Size: 329KB - Virtual size: 328KB

.data
Size: 2KB - Virtual size: 2KB

.idata
Size: 8KB - Virtual size: 7KB

.didat
Size: 1024B - Virtual size: 836B

.rsrc
Size: 25KB - Virtual size: 25KB

.reloc
Size: 23KB - Virtual size: 22KB