cheat[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

cheat.dll
Size

5.9MB
MD5

cca9baf26d26a2114aa9e7f7defee185
SHA1

f54efc2e074dc06ed8f95d898e597c85de0400ff
SHA256

a7d504fc4168113cc32af9be73aa3465ba22c1043c4c4926d66692b545b63643
SHA512

da97a24462059db602b1e110606750fb6aa4b1f03369b549c3980ae7594c161ac8f1369e907bdeef9abf09c3edbb4451a128899f723a559e325de69fbdad6836
SSDEEP

49152:O1D78O0QKPVKUn5tVJBrRd03cbE4X84VP0nBJTTPXWljYoMPRps1ZXqmg4yP3JM4:lOuHV/Vz6QxUM3hexdf

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
cheat.dll

Files

cheat.dll
.dll windows:6 windows x64 arch:x64

419149ff2f90c863ab1e823b43f2f6b0

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\Users\unixian\Desktop\projects\weave\build\debug\cheat.pdb

Imports

ucrtbased

_CrtDbgReport
__acrt_iob_func
__stdio_common_vfprintf
__stdio_common_vsprintf
__stdio_common_vsprintf_s
_beginthread
_beginthreadex
_callnewh
_calloc_dbg
_cexit
_configure_narrow_argv
_crt_at_quick_exit
_crt_atexit
_difftime64
_dsign
_dtest
_errno
_execute_onexit_table
_fdsign
_fdtest
_free_dbg
_fseeki64
_get_stream_buffer_pointers
_gmtime64
_initialize_narrow_environment
_initialize_onexit_table
_invalid_parameter
_itoa
_ldsign
_ldtest
_localtime64
_localtime64_s
_lock_file
_malloc_dbg
_mktime64
_register_onexit_function
_seh_filter_dll
_stat64i32
_stricmp
_time64
_unlock_file
_wassert
_wcsicmp
abort
abs
acosf
atan2f
atanf
atoi
calloc
ceilf
cos
cosf
exit
exp
fclose
feof
ferror
fflush
fgetc
fgetpos
fgets
floorf
fmaf
fmodf
fopen
fopen_s
fputc
fputs
fread
free
freopen_s
fseek
fsetpos
ftell
fwrite
getenv
isdigit
isspace
isupper
ldexp
localeconv
log
lroundf
malloc
memset
pow
powf
qsort
rand
realloc
roundf
setvbuf
sin
sinf
sqrt
sqrtf
strcat
strcmp
strcpy
strcpy_s
strftime
strlen
strncat
strncmp
strncpy
strtod
strtol
strtoll
strtoul
strtoull
tanf
terminate
tolower
toupper
ungetc
wcslen

vcruntime140d

_CxxThrowException
__C_specific_handler
__current_exception
__current_exception_context
__intrinsic_setjmp
__std_exception_copy
__std_exception_destroy
_purecall
longjmp
memchr
memcmp
memcpy
memmove
strchr
strrchr
strstr

kernel32

AcquireSRWLockExclusive
AcquireSRWLockShared
AllocConsole
CloseHandle
CreateEventA
CreateFileA
CreateFileMappingA
CreateSemaphoreA
CreateThread
CreateToolhelp32Snapshot
DeleteCriticalSection
EnterCriticalSection
FindClose
FindCloseChangeNotification
FindFirstChangeNotificationA
FindFirstFileA
FindNextChangeNotification
FindNextFileA
FlushInstructionCache
FormatMessageA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetFileSizeEx
GetLastError
GetModuleFileNameA
GetModuleHandleA
GetModuleHandleExA
GetModuleHandleW
GetProcAddress
GetProcessHeap
GetStartupInfoW
GetStdHandle
GetSystemInfo
GetThreadContext
GlobalAlloc
GlobalLock
GlobalUnlock
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
InitializeCriticalSection
InitializeSRWLock
IsDebuggerPresent
IsProcessorFeaturePresent
LeaveCriticalSection
MapViewOfFile
MultiByteToWideChar
OpenThread
QueryPerformanceCounter
QueryPerformanceFrequency
ReadFile
ReleaseSRWLockExclusive
ReleaseSRWLockShared
ReleaseSemaphore
ResumeThread
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
SetConsoleTextAttribute
SetConsoleTitleA
SetEvent
SetThreadContext
SetUnhandledExceptionFilter
Sleep
SleepConditionVariableSRW
SuspendThread
TerminateProcess
Thread32First
Thread32Next
TryAcquireSRWLockExclusive
TryAcquireSRWLockShared
UnhandledExceptionFilter
UnmapViewOfFile
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WaitForSingleObject
WakeAllConditionVariable

user32

CallWindowProcA
CloseClipboard
EmptyClipboard
FindWindowA
GetClientRect
GetCursorPos
GetForegroundWindow
GetKeyState
GetKeyboardLayout
GetSystemMetrics
GetWindowThreadProcessId
MapVirtualKeyA
MapVirtualKeyExW
MessageBoxA
OpenClipboard
ScreenToClient
SetClipboardData
SetWindowLongPtrA
ToUnicodeEx

winmm

PlaySoundA

ws2_32

InetPtonW
WSACleanup
WSAGetLastError
WSAStartup
closesocket
getpeername
getsockopt
htons
recv
recvfrom
send
sendto
setsockopt

msvcp140d

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$codecvt@_WDU_Mbstatet@@@std@@QEAA@_K@Z
??0_Locinfo@std@@QEAA@PEBD@Z
??0_Lockit@std@@QEAA@H@Z
??0facet@locale@std@@IEAA@_K@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$codecvt@_WDU_Mbstatet@@@std@@MEAA@XZ
??1_Locinfo@std@@QEAA@XZ
??1_Lockit@std@@QEAA@XZ
??1facet@locale@std@@MEAA@XZ
??2_Crt_new_delete@std@@SAPEAX_K@Z
??3_Crt_new_delete@std@@SAXPEAX@Z
??4?$_Yarn@D@std@@QEAAAEAV01@PEBD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@I@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@N@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@PEBX@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z
??7ios_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
??Bios_base@std@@QEBA_NXZ
?_Addfac@_Locimp@locale@std@@AEAAXPEAVfacet@23@_K@Z
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Getcvt@_Locinfo@std@@QEBA?AU_Cvtvec@@XZ
?_Getfalse@_Locinfo@std@@QEBAPEBDXZ
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_Getlconv@_Locinfo@std@@QEBAPEBUlconv@@XZ
?_Gettrue@_Locinfo@std@@QEBAPEBDXZ
?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Incref@facet@locale@std@@UEAAXXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_New_Locimp@_Locimp@locale@std@@CAPEAV123@AEBV123@@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Throw_Cpp_error@std@@YAXH@Z
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_W_Getdays@_Locinfo@std@@QEBAPEBGXZ
?_W_Getmonths@_Locinfo@std@@QEBAPEBGXZ
?_Xbad_alloc@std@@YAXXZ
?_Xbad_function_call@std@@YAXXZ
?_Xlength_error@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
?c_str@?$_Yarn@D@std@@QEBAPEBDXZ
?copyfmt@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAAEAV12@AEBV12@@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ
?flags@ios_base@std@@QEAAHH@Z
?flags@ios_base@std@@QEBAHXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?good@ios_base@std@@QEBA_NXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?id@?$codecvt@_WDU_Mbstatet@@@std@@2V0locale@2@A
?id@?$numpunct@D@std@@2V0locale@2@A
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?in@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEA_W3AEAPEA_W@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEB_W1AEAPEB_WPEAD3AEAPEAD@Z
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?precision@ios_base@std@@QEAA_J_J@Z
?precision@ios_base@std@@QEBA_JXZ
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@_JH@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?setf@ios_base@std@@QEAAHH@Z
?setf@ios_base@std@@QEAAHHH@Z
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ
?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?uncaught_exceptions@std@@YAHXZ
?unsetf@ios_base@std@@QEAAXH@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?width@ios_base@std@@QEAA_J_J@Z
?width@ios_base@std@@QEBA_JXZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
_Cnd_do_broadcast_at_thread_exit
_Mtx_destroy_in_situ
_Mtx_init_in_situ
_Mtx_lock
_Mtx_trylock
_Mtx_unlock
_Query_perf_counter
_Query_perf_frequency
_Thrd_detach
_Thrd_hardware_concurrency
_Thrd_yield
_Xtime_get_ticks

iphlpapi

IcmpCloseHandle
IcmpCreateFile
IcmpSendEcho2

vcruntime140_1d

__CxxFrameHandler4

advapi32

CryptAcquireContextW
CryptGenRandom
CryptReleaseContext

Sections

.text
Size: 3.8MB - Virtual size: 3.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 827KB - Virtual size: 827KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1.0MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 249KB - Virtual size: 249KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.00cfg
Size: 512B - Virtual size: 56B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.CRT
Size: 512B - Virtual size: 304B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 45B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 424B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

419149ff2f90c863ab1e823b43f2f6b0

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ucrtbased

vcruntime140d

kernel32

user32

winmm

ws2_32

msvcp140d

iphlpapi

vcruntime140_1d

advapi32

Sections

.text Size: 3.8MB - Virtual size: 3.8MB

.rdata Size: 827KB - Virtual size: 827KB

.data Size: 1.0MB - Virtual size: 1.1MB

.pdata Size: 249KB - Virtual size: 249KB

.00cfg Size: 512B - Virtual size: 56B

.CRT Size: 512B - Virtual size: 304B

.tls Size: 512B - Virtual size: 45B

.rsrc Size: 512B - Virtual size: 424B

.reloc Size: 5KB - Virtual size: 5KB

.text
Size: 3.8MB - Virtual size: 3.8MB

.rdata
Size: 827KB - Virtual size: 827KB

.data
Size: 1.0MB - Virtual size: 1.1MB

.pdata
Size: 249KB - Virtual size: 249KB

.00cfg
Size: 512B - Virtual size: 56B

.CRT
Size: 512B - Virtual size: 304B

.tls
Size: 512B - Virtual size: 45B

.rsrc
Size: 512B - Virtual size: 424B

.reloc
Size: 5KB - Virtual size: 5KB