fwbase[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

fwbase.dll
Size

169KB
MD5

087efd291c603c8b5cd4ed1aafed4577
SHA1

0fbbd0d2ca4d88d195c649080fd705fdae0c5555
SHA256

aa4891ac476e1bd54b79ee1a228c2ab397ea849bb497a0b96195a6a2fef89e70
SHA512

5b9f5e82ce974a79c13ed5dbb769c16349356250cd7f59aa0f48bf1539e8f47d980fc5d834a543f66781e39a2f1bfc88469977e56b899455af709c9884ed49d9
SSDEEP

3072:Rzu0MFaRbO4cOlMBPosuWccUXBMdKfK9UmG9eJYCJoMuoad8gS6qcbnZ:RqiO4cOlMBPoSBUXBMYlmGuYCiMDgS6b

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
fwbase.dll

Files

fwbase.dll
.dll windows:10 windows x86 arch:x86

d8d5fd03e905303a8e2a6e75e0c58c0d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

fwbase.pdb

Imports

msvcrt

iswalpha
wcstok_s
qsort
_XcptFilter
_except_handler4_common
memmove
memcpy
_amsg_exit
free
memcpy_s
towupper
??1type_info@@UAE@XZ
memcmp
__CxxFrameHandler3
??1exception@@UAE@XZ
_onexit
_CxxThrowException
??0exception@@QAE@ABV0@@Z
_purecall
memmove_s
wcsncmp
_lock
memset
wcschr
wcstoul
iswdigit
wcspbrk
__dllonexit
_wcsnicmp
_initterm
??0exception@@QAE@XZ
_ultow
_vsnprintf_s
_vsnwprintf
_unlock
??3@YAXPAX@Z
malloc
_wcsicmp

ntdll

EtwEventWrite
RtlIpv4AddressToStringW
RtlIpv4StringToAddressW
NtQueryInformationProcess
RtlContractHashTable
RtlExpandHashTable
RtlEndEnumerationHashTable
RtlEnumerateEntryHashTable
RtlInitEnumerationHashTable
RtlGetNextEntryHashTable
RtlLookupEntryHashTable
RtlInsertEntryHashTable
RtlDeleteHashTable
RtlCreateHashTable
RtlFreeUnicodeString
RtlRemoveEntryHashTable
RtlNtStatusToDosError
RtlCreateServiceSid
NtQueryObject
NtClose
NtQuerySymbolicLinkObject
NtOpenSymbolicLinkObject
RtlInitUnicodeString
EtwTraceMessage
EtwUnregisterTraceGuids
EtwGetTraceEnableFlags
EtwGetTraceLoggerHandle
EtwGetTraceEnableLevel
EtwRegisterTraceGuidsW
RtlCanonicalizeDomainName

api-ms-win-core-registry-l1-1-0

RegOpenKeyExW
RegNotifyChangeKeyValue
RegDeleteTreeW
RegCloseKey
RegEnumValueW
RegSetValueExW
RegQueryValueExW
RegDeleteValueW
RegQueryInfoKeyW
RegCreateKeyExW

api-ms-win-core-synch-l1-1-0

WaitForSingleObject
CreateMutexExW
LeaveCriticalSection
CreateSemaphoreExW
OpenSemaphoreW
InitializeCriticalSectionEx
InitializeCriticalSectionAndSpinCount
ReleaseMutex
ReleaseSemaphore
ReleaseSRWLockShared
DeleteCriticalSection
EnterCriticalSection
AcquireSRWLockShared
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WaitForSingleObjectEx
CreateEventW
SetEvent

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetLastError
SetUnhandledExceptionFilter
GetLastError

api-ms-win-core-threadpool-private-l1-1-0

RegisterWaitForSingleObjectEx

api-ms-win-core-threadpool-legacy-l1-1-0

QueueUserWorkItem
UnregisterWaitEx

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetTickCount
GetComputerNameExW
GetVersionExW

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-string-l1-1-0

CompareStringW
MultiByteToWideChar
WideCharToMultiByte

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW

api-ms-win-core-libraryloader-l1-2-0

LoadStringW
FreeLibrary
GetProcAddress
GetModuleHandleW
GetModuleFileNameA
GetModuleHandleExW
LoadLibraryExW

api-ms-win-core-string-l2-1-1

SHLoadIndirectString

api-ms-win-core-shlwapi-legacy-l1-1-0

PathCanonicalizeW
PathIsRelativeW
PathFindNextComponentW
PathSkipRootW

api-ms-win-core-file-l1-1-0

CreateFileW
GetLongPathNameW
CreateDirectoryW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-security-base-l1-1-0

AllocateAndInitializeSid
GetTokenInformation
GetAce
GetSecurityDescriptorDacl
IsValidSecurityDescriptor
DuplicateTokenEx
AdjustTokenPrivileges
FreeSid

api-ms-win-core-processthreads-l1-1-0

GetCurrentThread
OpenProcessToken
GetCurrentProcess
SetThreadToken
GetCurrentThreadId
GetCurrentProcessId
TerminateProcess
OpenThreadToken

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW

rpcrt4

RpcRevertToSelf
I_RpcBindingInqLocalClientPID
RpcImpersonateClient

api-ms-win-core-processthreads-l1-1-1

OpenProcess

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-core-com-l1-1-0

CoCreateGuid
StringFromGUID2

api-ms-win-core-threadpool-l1-2-0

CloseThreadpoolTimer
WaitForThreadpoolTimerCallbacks
SetThreadpoolTimer
CreateThreadpoolTimer
CloseThreadpoolWait
WaitForThreadpoolWaitCallbacks
CreateThreadpoolWait
SetThreadpoolWait

api-ms-win-core-heap-l1-1-0

HeapFree
GetProcessHeap
HeapAlloc

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

DebugBreak
OutputDebugStringW
IsDebuggerPresent

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Exports

Exports

FWIndicatePortInUse_Helper
FwAddrChangeSourceInitialize
FwAddrChangeSourceShutdown
FwAddrChangeSourceSignal
FwAlloc
FwAllocArray
FwAllocCheckSize
FwArrayAppend
FwArrayCat
FwArrayCopy
FwArrayCreateFromRegistry
FwArrayDestroy
FwArrayErase
FwAuthSuiteEmpty
FwAuthSuiteEmptyByVersion
FwAuthorizedAppEncode
FwBaseAlloc
FwBaseAllocCheckSize
FwBaseFree
FwBoolIsEqual
FwBuildIndirectString
FwCanonizeAuthorizedApps
FwChangeSinkCreate
FwChangeSinkDestroy
FwChangeSourceInitialize
FwChangeSourceShutdown
FwChangeSourceSignal
FwChangeSourceSignalStart
FwCloseHandle
FwConstructRemoteMachineSPN
FwCreateDirectory
FwCriticalSectionCreate
FwCriticalSectionDestroy
FwCriticalSectionEnter
FwCriticalSectionLeave
FwDWordMultiply
FwEnableMemTracing
FwEnablePrivilege
FwExpandEnvironmentStrings
FwExtractPortNumber
FwFieldNameMatchStringBegining
FwFinalHash
FwFree
FwFreeCertCriteria
FwFreeRpcCallersProcessInfo
FwGetAppBlockList
FwGetAuthorizedApp
FwGetExpandedCanonicalLongPathName
FwGetIcmpSettings
FwGetLongPathName
FwGetProfileIndexFromProfileType
FwGetProfileTypeFromProfileIndex
FwGetRemoteAdminSettings
FwGetRpcCallersProcessImageName
FwGetRpcCallersProcessInfo
FwGetService
FwGetServiceTypes
FwGetServices
FwGetStaticFwPort
FwGetStringId
FwGetStringIdForStatusCode
FwGetSysPathName
FwGetTokenInformation
FwHResultToWindowsError
FwHashtableCreate
FwHashtableDestroy
FwHashtableEmpty
FwHashtableFind
FwHashtableGetNext
FwHashtableInsert
FwHashtableRemove
FwIOReadPortUseIndications
FwIOWritePortUseIndications
FwIcfAuthBypassServicesDestroy
FwIcfAuthBypassSubNetsDestroy
FwIcfAuthorizedAppCopy
FwIcfAuthorizedAppsCopy
FwIcfAuthorizedAppsDestroy
FwIcfDynamicFwPortDestroy
FwIcfIpV4SubNetsCanonize
FwIcfIpV6SubNetsCanonize
FwIcfSubNetsCopy
FwIcfSubNetsDestroy
FwIcfSubNetsGetScope
FwIcfSubNetsIsEqual
FwImageListDestroy
FwImageListHasImage
FwInitMemoryMgr
FwInitializeHashContext
FwIpV4SubNetDecode
FwIsBuiltInPort
FwIsMachineLocalHost
FwIsValidPorts
FwLicensingIsIoT
FwLicensingIsNetIsolationOnly
FwLicensingIsXbox
FwLoadIndirectString
FwLoadString
FwLookupAccountSid
FwMarshalledMetaDataCopy
FwMarshalledMetaDataInitialize
FwMetaDataAddEnforcementState
FwMetaDataCopy
FwMetaDataFree
FwMetaDataIsEnforcementStatePresent
FwMultiByteToWideChar
FwParseEdpCloudResourceStringToNrptRuleList
FwPortsToString
FwProfileTypesToString
FwRegCloseKey
FwRegCreateKey
FwRegDeleteAllValues
FwRegDeleteKey
FwRegDeleteValue
FwRegEnumValueNameAndValueData
FwRegNotifyCreate
FwRegNotifyDestroy
FwRegOpenKey
FwRegQueryDWord
FwRegQueryNumKeys
FwRegQueryNumValues
FwRegQueryString
FwRegSetDWord
FwRegSetString
FwReleasePrivilege
FwReportErrorAsNtStatus
FwReportErrorAsWinError
FwReportReturnError
FwResolveIndirectString
FwRestructureHashtable
FwServiceSidCreateInPlace
FwSetMemLeakPolicy
FwShutdownMemoryMgr
FwSidCreate
FwSidDestroy
FwSizeTAdd
FwSizeTMultiply
FwSortAddresses
FwSortInterfaceLUIDs
FwStaticFwPortEncode
FwStaticFwPortEncodeValueName
FwStringArrayCopy
FwStringBuild
FwStringCanonicalizeCopy
FwStringCopy
FwStringCopyA
FwStringCopyAtoWAlloc
FwStringCopyWtoAAlloc
FwSubNetsEncode
FwSubstituteDeviceName
FwTriggerGetEventForSource
FwTriggerRearm
FwTriggerRegisterWait
FwTriggerUnregisterWait
FwUpdateHash
FwVerifyAuthenticationSet
FwVerifyAuthenticationSetQuery
FwVerifyConnectionSecurityRule
FwVerifyConnectionSecurityRuleQuery
FwVerifyCryptoSet
FwVerifyCryptoSetQuery
FwVerifyFirewallRule
FwVerifyFirewallRuleQuery
FwVerifyMainModeRule
FwVerifyMainModeRuleQuery
FwVerifyNoHeapLeaks
FwWcsICmp
Int_FWVerifyAuthenticationSet
Int_FWVerifyConnectionSecurityRule
Int_FWVerifyCryptoSet
Int_FWVerifyFirewallRule
Int_FWVerifyMainModeRule
Int_FwIPV4RangeContainsMulticast
Int_FwIPV6RangeContainsMulticast
Int_FwIsV6AddrLoopback
Int_FwValidateAndMigrateSecurityDescriptor
Int_FwValidateComplianceAndReduceAuthSetToVersion
Int_FwValidateComplianceAndReduceConnSecRuleToVersion
Int_FwValidateComplianceAndReduceCryptoSetToVersion
Int_FwValidateComplianceAndReduceFirewallRuleToVersion
Int_FwValidateComplianceAndReduceMainModeRuleToVersion
Int_FwValidateSecurityDescriptor
IsAddressesEmpty
IsCSRuleTunnelMode
IsRuleOldAuthApp
IsRuleOldGlobalOpenPort
IsRuleOldv1Compliant
IsRuleOpenPortOrAuthApp
Isv4AddressesEmpty
Isv6AddressesEmpty

Sections

.text
Size: 150KB - Virtual size: 150KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 64B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d8d5fd03e905303a8e2a6e75e0c58c0d

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

api-ms-win-core-registry-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-threadpool-private-l1-1-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-string-l2-1-1

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

rpcrt4

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-heap-l2-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-apiquery-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Exports

Exports

Sections

.text Size: 150KB - Virtual size: 150KB

.data Size: 1024B - Virtual size: 1KB

.idata Size: 7KB - Virtual size: 6KB

.didat Size: 512B - Virtual size: 64B

.rsrc Size: 1024B - Virtual size: 1008B

.reloc Size: 8KB - Virtual size: 7KB

.text
Size: 150KB - Virtual size: 150KB

.data
Size: 1024B - Virtual size: 1KB

.idata
Size: 7KB - Virtual size: 6KB

.didat
Size: 512B - Virtual size: 64B

.rsrc
Size: 1024B - Virtual size: 1008B

.reloc
Size: 8KB - Virtual size: 7KB