FirewallAPI[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

FirewallAPI.dll
Size

407KB
MD5

5a25e38406d3b34fac1fa37a17d0b99e
SHA1

6705b1c5613b4546ac59f8104bf21a2e98e5a6ac
SHA256

9b3ed4f4d128f13b3dcb80230c65b74920ca20f62fce3ac0a6d0ae3dc27750f8
SHA512

020548591559779f49b2da6dc548643c44215f8ca0938ff506da07d70bb5cc7a4c86e5cfc70c015303872513c4f4eb455f0c2a9f1f0e7a85df347a0c88bda8fc
SSDEEP

6144:zVMQiMREoGGDB5hvQ3ou5O/ADeFfy2UTaHKkMyoEe4tMauD0bQIlR9+bRXptk81V:zVm8hvQhBDfaCyo4juD0nP+tN1vd

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
FirewallAPI.dll

Files

FirewallAPI.dll
.dll regsvr32 windows:10 windows x86 arch:x86

318d4c3d2bbdc4fce040e18b0196750f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

FirewallAPI.pdb

Imports

msvcrt

memmove_s
_callnewh
_vsnprintf_s
??0exception@@QAE@ABV0@@Z
??0exception@@QAE@XZ
??1exception@@UAE@XZ
_XcptFilter
memcpy_s
_wcsnicmp
_amsg_exit
qsort
_initterm
_vsnwprintf
memcpy
memcmp
wcstok
_CxxThrowException
?terminate@@YAXXZ
_except_handler4_common
_wcsicmp
_purecall
??1type_info@@UAE@XZ
__dllonexit
wcscpy_s
__CxxFrameHandler3
realloc
wcscat_s
_lock
_unlock
malloc
free
_onexit
memset

rpcrt4

IUnknown_Release_Proxy
UuidCreate
NdrOleAllocate
UuidToStringW
RpcStringFreeW
RpcAsyncInitializeHandle
CStdStubBuffer_AddRef
CStdStubBuffer_DebugServerRelease
RpcBindingSetOption
RpcBindingFromStringBindingW
RpcStringBindingComposeW
CStdStubBuffer_DebugServerQueryInterface
NdrAsyncClientCall2
NdrClientCall4
IUnknown_AddRef_Proxy
RpcEpResolveBinding
IUnknown_QueryInterface_Proxy
CStdStubBuffer_IsIIDSupported
NdrOleFree
RpcAsyncCompleteCall
RpcBindingFree
RpcBindingSetAuthInfoExW
NdrStubCall2
NdrStubForwardingFunction
RpcAsyncCancelCall
NdrCStdStubBuffer2_Release
NdrDllUnregisterProxy
NdrDllRegisterProxy
NdrDllGetClassObject
NdrDllCanUnloadNow
CStdStubBuffer_Invoke

api-ms-win-core-com-midlproxystub-l1-1-0

ObjectStublessClient14
ObjectStublessClient11
CStdStubBuffer2_CountRefs
ObjectStublessClient24
ObjectStublessClient12
ObjectStublessClient22
ObjectStublessClient25
ObjectStublessClient20
ObjectStublessClient15
ObjectStublessClient23
NdrProxyForwardingFunction6
CStdStubBuffer2_Disconnect
ObjectStublessClient7
ObjectStublessClient13
ObjectStublessClient18
CStdStubBuffer2_QueryInterface
ObjectStublessClient19
ObjectStublessClient21
CStdStubBuffer2_Connect
NdrProxyForwardingFunction4
NdrProxyForwardingFunction5
ObjectStublessClient8
NdrProxyForwardingFunction3
ObjectStublessClient26
ObjectStublessClient17
ObjectStublessClient10
ObjectStublessClient9
ObjectStublessClient16

api-ms-win-core-synch-l1-1-0

LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
ReleaseSemaphore
InitializeCriticalSectionEx
InitializeCriticalSection
ReleaseSRWLockExclusive
WaitForSingleObject
AcquireSRWLockExclusive
WaitForSingleObjectEx
SetEvent
OpenSemaphoreW
ReleaseMutex
ReleaseSRWLockShared
AcquireSRWLockShared
CreateSemaphoreExW
CreateEventW
CreateMutexExW

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW
LoadLibraryExW
GetModuleHandleExW
GetProcAddress
GetModuleFileNameA
FreeLibrary
DisableThreadLibraryCalls
SizeofResource
LoadResource
FindResourceExW
GetModuleFileNameW

api-ms-win-core-string-l2-1-0

CharNextW
CharPrevW

api-ms-win-core-errorhandling-l1-1-0

SetLastError
GetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter

api-ms-win-core-registry-l1-1-0

RegQueryValueExW
RegCloseKey
RegEnumKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumValueW
RegRestoreKeyW
RegOpenCurrentUser
RegSetValueExW
RegCreateKeyExW
RegDeleteValueW
RegDeleteTreeW
RegSaveKeyExW

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW
lstrcpynW

api-ms-win-core-memory-l1-1-0

VirtualProtect
VirtualAlloc
VirtualQuery

api-ms-win-core-sysinfo-l1-1-0

GetSystemInfo
GetTickCount
GetSystemTimeAsFileTime
GetTickCount64

api-ms-win-core-string-l1-1-0

CompareStringW
CompareStringOrdinal
MultiByteToWideChar

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventRegister
EventUnregister
EventSetInformation

ntdll

RtlEqualSid
RtlCapabilityCheck
RtlIpv4AddressToStringW
RtlIpv6AddressToStringW
RtlInitUnicodeString
RtlIpv6StringToAddressW
EtwEventWrite
EtwTraceMessage
EtwEventUnregister
EtwEventRegister
EtwUnregisterTraceGuids
EtwRegisterTraceGuidsW
EtwGetTraceEnableFlags
EtwGetTraceEnableLevel
EtwGetTraceLoggerHandle
RtlIpv4StringToAddressW

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapFree
GetProcessHeap
HeapDestroy

api-ms-win-security-base-l1-1-0

AccessCheck
CheckTokenMembership
RevertToSelf
CreateWellKnownSid
DuplicateTokenEx

api-ms-win-core-version-l1-1-0

VerQueryValueW
GetFileVersionInfoSizeExW
GetFileVersionInfoExW

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-localization-l1-2-0

GetThreadUILanguage
FormatMessageW
GetSystemDefaultLangID

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
SetThreadToken
OpenProcessToken
OpenThreadToken
GetCurrentThreadId
GetCurrentThread
GetCurrentProcessId
TerminateProcess

api-ms-win-core-threadpool-l1-2-0

CloseThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolWait
WaitForThreadpoolWaitCallbacks
CreateThreadpoolWait
SetThreadpoolWaitEx
CreateThreadpoolTimer
SetThreadpoolTimer
SetThreadpoolWait

api-ms-win-security-base-l1-2-0

CheckTokenCapability

api-ms-win-core-debug-l1-1-0

DebugBreak
IsDebuggerPresent
OutputDebugStringW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

dnsapi

DnsSetNrptRule
DnsRemoveNrptRule
DnsFreeNrptRuleNamesList
DnsGetNrptRuleNamesList

api-ms-win-eventing-classicprovider-l1-1-0

TraceMessage

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
FWAddAuthenticationSet
FWAddConnectionSecurityRule
FWAddCryptoSet
FWAddFirewallRule
FWAddMainModeRule
FWAddSecurityRealm
FWChangeNotificationCreate
FWChangeNotificationDestroy
FWChangeTransactionalState
FWClosePolicyStore
FWCopyAuthenticationSet
FWCopyConnectionSecurityRule
FWCopyCryptoSet
FWCopyFirewallRule
FWDeleteAllAuthenticationSets
FWDeleteAllConnectionSecurityRules
FWDeleteAllCryptoSets
FWDeleteAllFirewallRules
FWDeleteAllMainModeRules
FWDeleteAuthenticationSet
FWDeleteConnectionSecurityRule
FWDeleteCryptoSet
FWDeleteFirewallRule
FWDeleteMainModeRule
FWDeletePhase1SAs
FWDeletePhase2SAs
FWDeleteSecurityRealm
FWDiagGetAppList
FWEnumAdapters
FWEnumAuthenticationSets
FWEnumConnectionSecurityRules
FWEnumCryptoSets
FWEnumFirewallRules
FWEnumMainModeRules
FWEnumNetworks
FWEnumPhase1SAs
FWEnumPhase2SAs
FWEnumProducts
FWExportPolicy
FWFreeAdapters
FWFreeAuthenticationSet
FWFreeAuthenticationSets
FWFreeAuthenticationSetsByHandle
FWFreeConnectionSecurityRule
FWFreeConnectionSecurityRules
FWFreeConnectionSecurityRulesByHandle
FWFreeCryptoSet
FWFreeCryptoSets
FWFreeCryptoSetsByHandle
FWFreeDiagAppList
FWFreeFirewallRule
FWFreeFirewallRules
FWFreeFirewallRulesByHandle
FWFreeFirewallRulesOld
FWFreeMainModeRule
FWFreeMainModeRules
FWFreeMainModeRulesByHandle
FWFreeNetworks
FWFreePhase1SAs
FWFreePhase2SAs
FWFreeProducts
FWGetConfig
FWGetConfig2
FWGetGlobalConfig
FWGetGlobalConfig2
FWGetGlobalConfig3
FWGetIndicatedPortInUse
FWImportPolicy
FWIndicatePortInUse
FWIndicateProxyForUrl
FWIndicateProxyResolverRefresh
FWIndicateTupleInUse
FWIndicateTupleInUse2
FWIsTargetAProxy
FWOpenPolicyStore
FWQueryAuthenticationSets
FWQueryConnectionSecurityRules
FWQueryCryptoSets
FWQueryFirewallRules
FWQueryIsolationType
FWQueryMainModeRules
FWRegisterProduct
FWResetIndicatedPortInUse
FWResetIndicatedTupleInUse
FWRestoreDefaults
FWRestoreGPODefaults
FWRevertTransaction
FWSelectConSecRule
FWSetAuthenticationSet
FWSetConfig
FWSetConnectionSecurityRule
FWSetCryptoSet
FWSetFirewallRule
FWSetGlobalConfig
FWSetGlobalConfig2
FWSetMainModeRule
FWStatusMessageFromStatusCode
FWUnregisterProduct
FWVerifyAuthenticationSet
FWVerifyAuthenticationSetQuery
FWVerifyConnectionSecurityRule
FWVerifyConnectionSecurityRuleQuery
FWVerifyCryptoSet
FWVerifyCryptoSetQuery
FWVerifyFirewallRule
FWVerifyFirewallRuleQuery
FWVerifyMainModeRule
FWVerifyMainModeRuleQuery
FwActivate
FwAlloc
FwAllocCheckSize
FwAllowedProgramsAdd
FwAllowedProgramsDelete
FwAnalyzeFirewallPolicy
FwAnalyzeFirewallPolicyOnProfile
FwApiHelperFree
FwApiHelperInit
FwBstrToInterfaceTypes
FwBstrToPorts
FwConvertIPv6SubNetToRange
FwCopyAuthSet
FwCopyMainModeRule
FwCopyWFAddressesContents
FwEmptyWFAddresses
FwFree
FwFreeAddresses
FwFreePorts
FwGetAddressesAsString
FwGetCurrentProfile
FwGetVersionField
FwIcmpSettingsEnum
FwIcmpSettingsSet
FwInterfaceTypesToBstr
FwIsGroupPolicyEnforced
FwIsRemoteManagementEnabled
FwLogSettingsSet
FwMergeAddresses
FwMulticastBroadcastResponsesEnum
FwMulticastBroadcastResponsesSet
FwNotificationsEnum
FwNotificationsSet
FwOpModesEnum
FwOpModesSet
FwPortOpeningsAdd
FwPortOpeningsDelete
FwProfileTypeCurrentGet
FwProfileTypeGet
FwRestoreDefaults
FwServicesEnum
FwServicesSet
FwStringToAddresses
FwStringToPorts
GetDisabledInterfaces
IcfAddrChangeNotificationCreate
IcfChangeNotificationCreate
IcfChangeNotificationDestroy
IcfConnect
IcfDisconnect
IcfFreeDynamicFwPorts
IcfFreeProfile
IcfFreeTickets
IcfGetCurrentProfileType
IcfGetDynamicFwPorts
IcfGetOperationalMode
IcfGetProfile
IcfGetTickets
IcfIsPortAllowed
IcfOpenDynamicFwPortWithoutSocket
IcfSubNetsGetScope
IsFirewallInCoExistanceMode
IsPortOrICMPAllowed
NetworkIsolationAddAllowEnterpriseIdRule
NetworkIsolationCreateAllInterfacesContainer
NetworkIsolationCreateAppContainer
NetworkIsolationCreateAppContainerLoopbackRules
NetworkIsolationCreateContainer
NetworkIsolationCreateInterfaceContainer
NetworkIsolationDeleteAllInterfacesContainer
NetworkIsolationDeleteAllowEnterpriseIdRule
NetworkIsolationDeleteAppContainer
NetworkIsolationDeleteAppContainerLoopbackRules
NetworkIsolationDeleteContainer
NetworkIsolationDeleteInterfaceContainer
NetworkIsolationDeleteUserAppContainers
NetworkIsolationDiagnoseConnectFailure
NetworkIsolationDiagnoseConnectFailureAndGetInfo
NetworkIsolationDiagnoseListen
NetworkIsolationDiagnoseSocketCreation
NetworkIsolationEnumAppContainers
NetworkIsolationEnumerateAppContainerRules
NetworkIsolationFreeAppContainers
NetworkIsolationGetAppContainer
NetworkIsolationGetAppContainerConfig
NetworkIsolationGetEnterpriseId
NetworkIsolationGetEnterpriseIdAsync
NetworkIsolationGetEnterpriseIdClose
NetworkIsolationRegisterForAppContainerChanges
NetworkIsolationSetAppContainerConfig
NetworkIsolationSetupAppContainerBinaries
NetworkIsolationUnregisterForAppContainerChanges

Sections

.text
Size: 345KB - Virtual size: 345KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1024B - Virtual size: 828B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 25KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

318d4c3d2bbdc4fce040e18b0196750f

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

rpcrt4

api-ms-win-core-com-midlproxystub-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-eventing-provider-l1-1-0

ntdll

api-ms-win-core-heap-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-version-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-security-base-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-profile-l1-1-0

dnsapi

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-apiquery-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Exports

Exports

Sections

.text Size: 345KB - Virtual size: 345KB

.data Size: 2KB - Virtual size: 3KB

.idata Size: 8KB - Virtual size: 8KB

.didat Size: 1024B - Virtual size: 828B

.rsrc Size: 25KB - Virtual size: 25KB

.reloc Size: 23KB - Virtual size: 23KB

.text
Size: 345KB - Virtual size: 345KB

.data
Size: 2KB - Virtual size: 3KB

.idata
Size: 8KB - Virtual size: 8KB

.didat
Size: 1024B - Virtual size: 828B

.rsrc
Size: 25KB - Virtual size: 25KB

.reloc
Size: 23KB - Virtual size: 23KB