FirewallAPI[.]dll

Sharing

Copy URL

Twitter E-mail

General

Target

FirewallAPI.dll
Size

452KB
MD5

4806fc0f0d75e1176f5d4886a7573b4b
SHA1

2da272e1471f9213de26b539c598916dcafd3800
SHA256

8fa6d9ecfa09e5eda70a6cb08c0753f6e20a26b6e8e0743ee1a9ae631e3337df
SHA512

0f328144910895d0b55a5846114723b08cce3eebf1551956659f2b60c753200a8aa2e7e731524af212bcb18499696da90742ecb6577e2341b7548afb171f4c04
SSDEEP

6144:a6banKDfJV/2jOp9F0XZj9AIM2QIzichmj9iqPRiNsC95glmUwG81zq:a6beKjOjOp98GI4fj9iq3Cg

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
FirewallAPI.dll

Files

FirewallAPI.dll
.dll regsvr32 windows:6 windows x86 arch:x86

f7b28d01c571493e6506759a5698419f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

FirewallAPI.pdb

Imports

msvcrt

??3@YAXPAX@Z
??_V@YAXPAX@Z
memset
malloc
free
realloc
??2@YAPAXI@Z
memcpy
??_U@YAPAXI@Z
_vsnwprintf
wcstok
_wcsicmp
qsort
iswdigit
_wcsnicmp
wcschr
wcstoul
_ultow
wcsncmp
memmove
_CxxThrowException
??1type_info@@UAE@XZ
_except_handler4_common
?terminate@@YAXXZ
_amsg_exit
_initterm
_XcptFilter
towupper
wcspbrk
iswalpha
__CxxFrameHandler3

ntdll

EtwGetTraceEnableLevel
EtwGetTraceLoggerHandle
EtwRegisterTraceGuidsW
EtwUnregisterTraceGuids
EtwEventUnregister
EtwEventRegister
EtwTraceMessage
RtlIpv4StringToAddressW
RtlIpv6StringToAddressW
RtlNtStatusToDosError
NtClose
NtQuerySymbolicLinkObject
NtOpenSymbolicLinkObject
NtQueryObject
RtlInitUnicodeString
RtlIpv4AddressToStringW
RtlIpv6AddressToStringW
EtwEventWrite
EtwGetTraceEnableFlags

rpcrt4

RpcStringFreeW
UuidToStringW
UuidCreate
RpcBindingSetAuthInfoExW
RpcBindingFree
RpcBindingFromStringBindingW
RpcStringBindingComposeW
RpcBindingSetOption
RpcEpResolveBinding
NdrClientCall2
NdrOleFree
IUnknown_QueryInterface_Proxy
IUnknown_AddRef_Proxy
IUnknown_Release_Proxy
NdrStubForwardingFunction
NdrStubCall2
NdrDllUnregisterProxy
NdrDllRegisterProxy
NdrCStdStubBuffer2_Release
NdrDllCanUnloadNow
NdrDllGetClassObject
NdrOleAllocate

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

kernel32

SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
GetSystemTimeAsFileTime
GetCurrentThreadId
QueryPerformanceCounter
InterlockedExchange
CompareStringOrdinal
RegisterWaitForSingleObject
GetTickCount
UnregisterWaitEx
CreateFileW
CreateEventW
QueueUserWorkItem
WaitForSingleObject
Sleep
GetLongPathNameW
ExpandEnvironmentStringsW
GetComputerNameExW
GetCurrentThread
GetCurrentProcess
CloseHandle
GetCurrentProcessId
FormatMessageW
HeapFree
SetLastError
GetProcessHeap
HeapAlloc
SetEvent
LocalAlloc
LocalFree
CompareStringW
GetSystemPreferredUILanguages
GetThreadPreferredUILanguages
LoadLibraryExA
InterlockedCompareExchange
DelayLoadFailureHook
LoadLibraryExW
FindResourceW
LoadResource
SizeofResource
lstrlenA
lstrcatW
DisableThreadLibraryCalls
FreeLibrary
GetModuleFileNameW
lstrcpynW
HeapDestroy
lstrcmpiW
GetModuleHandleW
GetProcAddress
LoadLibraryW
InterlockedDecrement
InterlockedIncrement
InitializeCriticalSection
MultiByteToWideChar
VirtualQuery
GetSystemInfo
VirtualAlloc
VirtualProtect
GetVersionExW
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
lstrcpyW
GetLastError
EnterCriticalSection
LeaveCriticalSection
lstrlenW

Exports

Exports

CalculateOpenPortOrAuthAppAddrStringSize
CreateDefaultPerInterfaceIcmpRule
CreateDefaultPerInterfaceOpenPortRule
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
FWAddAuthenticationSet
FWAddConnectionSecurityRule
FWAddCryptoSet
FWAddFirewallRule
FWAddMainModeRule
FWChangeNotificationCreate
FWChangeNotificationDestroy
FWChangeTransactionalState
FWClosePolicyStore
FWCopyAuthenticationSet
FWCopyConnectionSecurityRule
FWCopyCryptoSet
FWCopyFirewallRule
FWDeleteAllAuthenticationSets
FWDeleteAllConnectionSecurityRules
FWDeleteAllCryptoSets
FWDeleteAllFirewallRules
FWDeleteAllMainModeRules
FWDeleteAuthenticationSet
FWDeleteConnectionSecurityRule
FWDeleteCryptoSet
FWDeleteFirewallRule
FWDeleteMainModeRule
FWDeletePhase1SAs
FWDeletePhase2SAs
FWDiagGetAppList
FWEnumAdapters
FWEnumAuthenticationSets
FWEnumConnectionSecurityRules
FWEnumCryptoSets
FWEnumFirewallRules
FWEnumMainModeRules
FWEnumNetworks
FWEnumPhase1SAs
FWEnumPhase2SAs
FWEnumProducts
FWExportPolicy
FWFreeAdapters
FWFreeAuthenticationSet
FWFreeAuthenticationSets
FWFreeConnectionSecurityRule
FWFreeConnectionSecurityRules
FWFreeCryptoSet
FWFreeCryptoSets
FWFreeDiagAppList
FWFreeFirewallRule
FWFreeFirewallRules
FWFreeFirewallRulesOld
FWFreeMainModeRule
FWFreeMainModeRules
FWFreeNetworks
FWFreePhase1SAs
FWFreePhase2SAs
FWFreeProducts
FWGPLock
FWGPUnlock
FWGetConfig
FWGetConfig2
FWGetGlobalConfig
FWGetGlobalConfig2
FWGetIndicatedPortInUse
FWImportPolicy
FWIndicatePortInUse
FWOpenPolicyStore
FWQueryAuthenticationSets
FWQueryConnectionSecurityRules
FWQueryCryptoSets
FWQueryFirewallRules
FWQueryMainModeRules
FWRegisterProduct
FWResetIndicatedPortInUse
FWResolveGPONames
FWRestoreDefaults
FWRestoreGPODefaults
FWRevertTransaction
FWSetAuthenticationSet
FWSetConfig
FWSetConnectionSecurityRule
FWSetCryptoSet
FWSetFirewallRule
FWSetGPHelperFnPtrs
FWSetGlobalConfig
FWSetMainModeRule
FWStatusMessageFromStatusCode
FWUnregisterProduct
FWVerifyAuthenticationSet
FWVerifyAuthenticationSetQuery
FWVerifyConnectionSecurityRule
FWVerifyConnectionSecurityRuleQuery
FWVerifyCryptoSet
FWVerifyCryptoSetQuery
FWVerifyFirewallRule
FWVerifyFirewallRuleQuery
FWVerifyMainModeRule
FWVerifyMainModeRuleQuery
FreeAbsoluteInterfaces
FwActivate
FwAddRule
FwAddSet
FwAddrChangeSourceInitialize
FwAddrChangeSourceShutdown
FwAddrChangeSourceSignal
FwAdvPolicyDecodeFirewallRule
FwAdvPolicyEncodeRule
FwAlloc
FwAllocCheckSize
FwAnalyzeFirewallPolicy
FwAnalyzeFirewallPolicyOnProfile
FwBstrToPorts
FwCSRuleEmpty
FwCSRuleVerify
FwChangeSourceInitialize
FwChangeSourceShutdown
FwChangeSourceSignal
FwChangeSourceSignalStart
FwClosePolicyStore
FwCopyAuthSet
FwCopyCSRule
FwCopyCryptoSet
FwCopyICMPTypeCode
FwCopyLUID
FwCopyMMRule
FwCopyMainModeRule
FwCopyPlatform
FwCopyPortRange
FwCopyPortsContents
FwCopyRule
FwCopyWFAddressesContents
FwCreateLocalTempStore
FwDeleteAllRules
FwDeleteAllSets
FwDeleteRule
FwDeleteSet
FwDestroyLocalTempStore
FwDoNothingOnObject
FwEmptyWFAddresses
FwEmptyWFRule
FwEnableMemTracing
FwEnumRules
FwEnumSets
FwFree
FwFreeAddresses
FwFreeRules
FwFreeSets
FwFreeWFRule
FwGetAddressesAsString
FwGetConfig
FwGetCurrentProfile
FwGetGlobalConfig
FwGetGlobalConfigFromLocalTempStore
FwGetVersionField
FwICFProfileToWfProfile
FwICFProtocolToWfProtocol
FwIPV4RangeContainsMulticast
FwIPV6RangeContainsMulticast
FwIsGroupPolicyEnforced
FwIsRemoteManagementEnabled
FwMMRuleVerify
FwMigrateLegacyAuthenticatedBypassSddl
FwMigrateLegacySettings
FwOpenPolicyStore
FwParseAddressToken
FwPortsToBstr
FwReduceObjectsToVersion
FwResolveIndirectString
FwRuleResolveFlags
FwSddlStringVerify
FwSetConfig
FwSetGlobalConfig
FwSetMemLeakPolicy
FwSetResolveFlags
FwSetRule
FwSetSet
FwStringToAddresses
FwUniteWFAddressesContents
FwVerifyNoHeapLeaks
FwVerifyWFRuleSemantics
FwWfProtocolToICFProtocol
GetDisabledInterfaces
GetOpenPortOrAuthAppAddrScope
IcfAddrChangeNotificationCreate
IcfChangeNotificationCreate
IcfChangeNotificationDestroy
IcfConnect
IcfDisconnect
IcfFreeDynamicFwPorts
IcfFreeProfile
IcfFreeTickets
IcfGetCurrentProfileType
IcfGetDynamicFwPorts
IcfGetOperationalMode
IcfGetProfile
IcfGetTickets
IcfIsPortAllowed
IcfOpenDynamicFwPortWithoutSocket
IcfSubNetsGetScope
IsAddressesEmpty
IsFirewallInCoExistanceMode
IsPortOrICMPAllowed
IsPortsEmpty
IsRuleOldAuthApp
IsRuleOldGlobalOpenPort
IsRuleOpenPortOrAuthApp
IsRulePerInterfaceIcmp
IsRulePerInterfaceOpenPort
Isv4Orv6AddressesEmpty
LoadGPExtensionDll
MakeAbsoluteInterfaces
OpenPortOrAuthAppAddrToString
ValidatePortOrAppAddressString

Sections

.text
Size: 389KB - Virtual size: 388KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.orpc
Size: 512B - Virtual size: 425B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 25KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f7b28d01c571493e6506759a5698419f

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

rpcrt4

version

kernel32

Exports

Exports

Sections

.text Size: 389KB - Virtual size: 388KB

.orpc Size: 512B - Virtual size: 425B

.data Size: 12KB - Virtual size: 12KB

.rsrc Size: 24KB - Virtual size: 24KB

.reloc Size: 25KB - Virtual size: 24KB

.text
Size: 389KB - Virtual size: 388KB

.orpc
Size: 512B - Virtual size: 425B

.data
Size: 12KB - Virtual size: 12KB

.rsrc
Size: 24KB - Virtual size: 24KB

.reloc
Size: 25KB - Virtual size: 24KB