cheat[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

cheat.dll
Size

5.8MB
MD5

b211275eba5e01d70a0d03501b7d7edf
SHA1

6ad9850d50e4680f029773a646ad2731fc17d9ba
SHA256

8de7049c3e1271339a661c013cf6143a3ef450a40707840f874746baa33a94e8
SHA512

868498a2d41d30587735550565c6cb3923bf83e8e7de288f8f20d65ba18702c838ea8a779c8ef58f93fcaa1d3916cf4035668f816fc4abc3a37ea1eafcb3c109
SSDEEP

49152:WF4HNM67Vw0s3ldveFgKQAqlE/YcxTNLCHzzRlnnU3NPPXWljYoMPR5s1Zzdng47:WFIVwj5AqM2CaxnM3h+

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
cheat.dll

Files

cheat.dll
.dll windows:6 windows x64 arch:x64

3f33d01f71e47503d1b557d0e3420d85

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

H:\ww\build\debug\cheat.pdb

Imports

ucrtbased

_CrtDbgReport
___lc_codepage_func
__acrt_iob_func
__stdio_common_vfprintf
__stdio_common_vsprintf
__stdio_common_vsprintf_s
_beginthread
_beginthreadex
_callnewh
_calloc_dbg
_cexit
_configure_narrow_argv
_crt_at_quick_exit
_crt_atexit
_difftime64
_dsign
_dtest
_errno
_execute_onexit_table
_fdsign
_fdtest
_free_dbg
_fseeki64
_get_stream_buffer_pointers
_gmtime64
_initialize_narrow_environment
_initialize_onexit_table
_invalid_parameter
_itoa
_ldsign
_ldtest
_localtime64
_localtime64_s
_lock_file
_malloc_dbg
_mktime64
_register_onexit_function
_seh_filter_dll
_stat64i32
_stricmp
_time64
_unlock_file
_wassert
_wcsicmp
abort
abs
acosf
atan2f
atanf
atoi
calloc
ceilf
cos
cosf
exit
exp
fclose
feof
ferror
fflush
fgetc
fgetpos
fgets
floorf
fmaf
fmodf
fopen
fopen_s
fputc
fputs
fread
free
freopen_s
fseek
fsetpos
ftell
fwrite
getenv
isdigit
isspace
isupper
ldexp
localeconv
log
lroundf
malloc
memset
pow
powf
qsort
rand
realloc
roundf
setvbuf
sin
sinf
sqrt
sqrtf
strcat
strcmp
strcpy
strcpy_s
strftime
strlen
strncat
strncmp
strncpy
strtod
strtol
strtoll
strtoul
strtoull
tanf
terminate
tolower
toupper
ungetc
wcslen

vcruntime140d

_CxxThrowException
__C_specific_handler
__current_exception
__current_exception_context
__intrinsic_setjmp
__std_exception_copy
__std_exception_destroy
_purecall
longjmp
memchr
memcmp
memcpy
memmove
strchr
strrchr
strstr

kernel32

AcquireSRWLockExclusive
AcquireSRWLockShared
AllocConsole
AreFileApisANSI
CloseHandle
CopyFileW
CreateDirectoryExW
CreateDirectoryW
CreateEventA
CreateFileA
CreateFileMappingA
CreateFileW
CreateHardLinkW
CreateSemaphoreA
CreateSymbolicLinkW
CreateThread
CreateToolhelp32Snapshot
DeleteCriticalSection
DeviceIoControl
EnterCriticalSection
FindClose
FindCloseChangeNotification
FindFirstChangeNotificationA
FindFirstFileA
FindFirstFileExW
FindFirstFileW
FindNextChangeNotification
FindNextFileA
FindNextFileW
FlushInstructionCache
FormatMessageA
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDiskFreeSpaceExW
GetFileAttributesExW
GetFileAttributesW
GetFileInformationByHandle
GetFileInformationByHandleEx
GetFileSizeEx
GetFinalPathNameByHandleW
GetFullPathNameW
GetLastError
GetLocaleInfoEx
GetModuleFileNameA
GetModuleHandleA
GetModuleHandleExA
GetModuleHandleW
GetProcAddress
GetProcessHeap
GetStartupInfoW
GetStdHandle
GetSystemInfo
GetTempPathW
GetThreadContext
GlobalAlloc
GlobalLock
GlobalUnlock
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
InitializeCriticalSection
InitializeSRWLock
IsDebuggerPresent
IsProcessorFeaturePresent
LeaveCriticalSection
LocalFree
MapViewOfFile
MoveFileExW
MultiByteToWideChar
OpenThread
QueryPerformanceCounter
QueryPerformanceFrequency
ReadFile
ReleaseSRWLockExclusive
ReleaseSRWLockShared
ReleaseSemaphore
ResumeThread
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
SetConsoleTextAttribute
SetConsoleTitleA
SetCurrentDirectoryW
SetEvent
SetFileAttributesW
SetFileInformationByHandle
SetFileTime
SetThreadContext
SetUnhandledExceptionFilter
Sleep
SleepConditionVariableSRW
SuspendThread
TerminateProcess
Thread32First
Thread32Next
TryAcquireSRWLockExclusive
TryAcquireSRWLockShared
UnhandledExceptionFilter
UnmapViewOfFile
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WaitForSingleObject
WakeAllConditionVariable
WideCharToMultiByte

winmm

PlaySoundA

user32

CallWindowProcA
CloseClipboard
EmptyClipboard
FindWindowA
GetAsyncKeyState
GetClientRect
GetCursorPos
GetForegroundWindow
GetKeyState
GetKeyboardLayout
GetSystemMetrics
GetWindowThreadProcessId
MapVirtualKeyA
MapVirtualKeyExW
MessageBoxA
OpenClipboard
ScreenToClient
SetClipboardData
SetWindowLongPtrA
ToUnicodeEx

d3d11

D3D11CreateDeviceAndSwapChain

ws2_32

InetPtonW
WSACleanup
WSAGetLastError
WSAStartup
closesocket
connect
getpeername
getsockopt
htons
recv
recvfrom
send
sendto
setsockopt
socket

msvcp140d

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$codecvt@_WDU_Mbstatet@@@std@@QEAA@_K@Z
??0_Locinfo@std@@QEAA@PEBD@Z
??0_Lockit@std@@QEAA@H@Z
??0facet@locale@std@@IEAA@_K@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$codecvt@_WDU_Mbstatet@@@std@@MEAA@XZ
??1_Locinfo@std@@QEAA@XZ
??1_Lockit@std@@QEAA@XZ
??1facet@locale@std@@MEAA@XZ
??2_Crt_new_delete@std@@SAPEAX_K@Z
??3_Crt_new_delete@std@@SAXPEAX@Z
??4?$_Yarn@D@std@@QEAAAEAV01@PEBD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@I@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@N@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@PEBX@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z
??7ios_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
??Bios_base@std@@QEBA_NXZ
?_Addfac@_Locimp@locale@std@@AEAAXPEAVfacet@23@_K@Z
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Getcvt@_Locinfo@std@@QEBA?AU_Cvtvec@@XZ
?_Getfalse@_Locinfo@std@@QEBAPEBDXZ
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_Getlconv@_Locinfo@std@@QEBAPEBUlconv@@XZ
?_Gettrue@_Locinfo@std@@QEBAPEBDXZ
?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Incref@facet@locale@std@@UEAAXXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_New_Locimp@_Locimp@locale@std@@CAPEAV123@AEBV123@@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Syserror_map@std@@YAPEBDH@Z
?_Throw_Cpp_error@std@@YAXH@Z
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_W_Getdays@_Locinfo@std@@QEBAPEBGXZ
?_W_Getmonths@_Locinfo@std@@QEBAPEBGXZ
?_Winerror_map@std@@YAHH@Z
?_Xbad_alloc@std@@YAXXZ
?_Xbad_function_call@std@@YAXXZ
?_Xlength_error@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
?c_str@?$_Yarn@D@std@@QEBAPEBDXZ
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?copyfmt@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAAEAV12@AEBV12@@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ
?flags@ios_base@std@@QEAAHH@Z
?flags@ios_base@std@@QEBAHXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?good@ios_base@std@@QEBA_NXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?id@?$codecvt@_WDU_Mbstatet@@@std@@2V0locale@2@A
?id@?$numpunct@D@std@@2V0locale@2@A
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEB_W1AEAPEB_WPEAD3AEAPEAD@Z
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?precision@ios_base@std@@QEAA_J_J@Z
?precision@ios_base@std@@QEBA_JXZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@_JH@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?setf@ios_base@std@@QEAAHH@Z
?setf@ios_base@std@@QEAAHHH@Z
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ
?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?uncaught_exceptions@std@@YAHXZ
?unsetf@ios_base@std@@QEAAXH@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?width@ios_base@std@@QEAA_J_J@Z
?width@ios_base@std@@QEBA_JXZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
_Cnd_do_broadcast_at_thread_exit
_Mtx_lock
_Mtx_trylock
_Mtx_unlock
_Query_perf_counter
_Query_perf_frequency
_Thrd_detach
_Thrd_hardware_concurrency
_Thrd_yield
_Xtime_get_ticks

iphlpapi

IcmpCloseHandle
IcmpCreateFile
IcmpSendEcho2

vcruntime140_1d

__CxxFrameHandler4

advapi32

CryptAcquireContextW
CryptGenRandom
CryptReleaseContext

Sections

.text
Size: 3.7MB - Virtual size: 3.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 832KB - Virtual size: 831KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1.0MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 241KB - Virtual size: 241KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.00cfg
Size: 512B - Virtual size: 56B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.CRT
Size: 512B - Virtual size: 296B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 45B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 424B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

3f33d01f71e47503d1b557d0e3420d85

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ucrtbased

vcruntime140d

kernel32

winmm

user32

d3d11

ws2_32

msvcp140d

iphlpapi

vcruntime140_1d

advapi32

Sections

.text Size: 3.7MB - Virtual size: 3.7MB

.rdata Size: 832KB - Virtual size: 831KB

.data Size: 1.0MB - Virtual size: 1.1MB

.pdata Size: 241KB - Virtual size: 241KB

.00cfg Size: 512B - Virtual size: 56B

.CRT Size: 512B - Virtual size: 296B

.tls Size: 512B - Virtual size: 45B

.rsrc Size: 512B - Virtual size: 424B

.reloc Size: 6KB - Virtual size: 5KB

.text
Size: 3.7MB - Virtual size: 3.7MB

.rdata
Size: 832KB - Virtual size: 831KB

.data
Size: 1.0MB - Virtual size: 1.1MB

.pdata
Size: 241KB - Virtual size: 241KB

.00cfg
Size: 512B - Virtual size: 56B

.CRT
Size: 512B - Virtual size: 296B

.tls
Size: 512B - Virtual size: 45B

.rsrc
Size: 512B - Virtual size: 424B

.reloc
Size: 6KB - Virtual size: 5KB