certcli[.]dll | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

certcli.dll
Size

334KB
MD5

1b110e7d9f30b21508dcffd54814b25a
SHA1

c79939134f26ff1428e1819b5ae0ea163d413a0c
SHA256

bcd348f9b05428b3e3599bb8102307b0cc1719928a00f10720f8d2d2da9fa7d7
SHA512

050991c1b63b714a70196091f4faea5cf26a4112340cdd806e44a359cf4fcf5c4834a27c1ce8674202a4654c38c52fead1d7828c5716c9902ffd1a7603947a2f
SSDEEP

6144:Y6ScG6/shZPKAMKOnu4ujoRn/vkDsNGSHgK7COSJJWBSS:Y6RGNhZPKAMdkouD/SRSOBSS

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
certcli.dll

Files

certcli.dll
.dll regsvr32 windows:6 windows x86 arch:x86

5bdc4f0638549099fe06ceaae61dbb5e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

certcli.pdb

Imports

msvcrt

_callnewh
_XcptFilter
_initterm
_amsg_exit
_except_handler4_common
??1type_info@@UAE@XZ
_unlock
_lock
_onexit
free
malloc
__CxxFrameHandler3
memset
vfwprintf
wcsncmp
_wfopen_s
fwprintf
fputws
ferror
isdigit
atoi
strchr
_wgetenv
iswxdigit
iswspace
iswalpha
__isascii
isxdigit
swscanf
??0exception@@QAE@XZ
memcpy_s
??0exception@@QAE@ABV0@@Z
?what@exception@@UBEPBDXZ
??0exception@@QAE@ABQBD@Z
??1exception@@UAE@XZ
memmove_s
wcstoul
wcstol
_wtol
wcsrchr
wcstok
_wcsicmp
wcscspn
_swab
__iob_func
fopen
memcpy
getenv
fseek
ftell
_errno
fwrite
strcspn
fflush
fclose
fprintf
_vsnprintf
_CxxThrowException
iswdigit
_wcsnicmp
?_set_se_translator@@YAP6AXIPAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z
_wtoi
wcsstr
__dllonexit
_vsnwprintf
_strnicmp
bsearch
wcschr
memmove

atl

ord16
ord15
ord22
ord18
ord32
ord21

ntdll

RtlNtStatusToDosError
RtlValidRelativeSecurityDescriptor
RtlFindMessage

advapi32

AddAccessAllowedObjectAce
RegisterEventSourceW
ReportEventW
DeregisterEventSource
CreateWellKnownSid
ImpersonateLoggedOnUser
RevertToSelf
GetSidSubAuthorityCount
GetSidLengthRequired
GetSidIdentifierAuthority
InitializeSid
GetSidSubAuthority
RegQueryInfoKeyW
GetSecurityDescriptorLength
RegOpenCurrentUser
MakeAbsoluteSD
MakeSelfRelativeSD
SetEntriesInAclW
DuplicateToken
LsaOpenPolicy
LsaQueryInformationPolicy
LsaFreeMemory
LsaClose
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
RegDeleteKeyW
IsValidSecurityDescriptor
GetSecurityDescriptorDacl
GetSecurityDescriptorOwner
GetSecurityDescriptorGroup
OpenThreadToken
SetSecurityDescriptorDacl
RegEnumKeyExW
LookupPrivilegeValueW
AdjustTokenPrivileges
EqualSid
DeleteAce
AddAccessAllowedAce
InitializeAcl
GetAclInformation
GetAce
AddAce
OpenProcessToken
GetTokenInformation
SetSecurityDescriptorGroup
SetSecurityDescriptorOwner
GetLengthSid
CopySid
RegSetValueExW
RegQueryValueExW
RegOpenKeyExW
RegCreateKeyExW
RegCloseKey
RegDeleteValueW
RegCreateKeyW
RegOpenKeyW
RegEnumValueW
RegConnectRegistryW
AccessCheck
SetSecurityDescriptorControl
AccessCheckByType
GetSecurityDescriptorControl

crypt32

CertFreeCertificateContext
CertCloseStore
CertStrToNameW
CertDuplicateCertificateContext
CertOpenStore
CryptStringToBinaryW
CryptBinaryToStringA
CryptBinaryToStringW
CryptStringToBinaryA
CertFindCertificateInStore
CertCreateCertificateContext
CertFreeCertificateChain
CertGetCertificateChain
CryptHashCertificate
CertGetCertificateContextProperty
CertDeleteCTLFromStore
CertFindCTLInStore
CryptMsgEncodeAndSignCTL
CertAddEncodedCTLToStore
CryptEncodeObject
CryptFindOIDInfo
CertGetNameStringW
CertNameToStrW
CertFindExtension
CryptHashPublicKeyInfo
CertGetEnhancedKeyUsage
CertGetCRLContextProperty
CertEnumCertificatesInStore
CertSetStoreProperty
CertAddCertificateLinkToStore
CertGetIntendedKeyUsage
CryptFreeOIDFunctionAddress
CryptGetOIDFunctionAddress
CryptInitOIDFunctionSet
CryptSignMessage
CryptEnumOIDInfo
CryptFormatObject
CryptDecodeObject
CertVerifyCertificateChainPolicy
CryptEncodeObjectEx
CryptDecodeObjectEx
CryptMsgClose
CryptMsgGetParam
CryptMsgUpdate
CryptMsgOpenToDecode

kernel32

CreateThread
SearchPathW
GetUserDefaultUILanguage
GetSystemDefaultUILanguage
GetLocaleInfoW
FindResourceExW
OpenProcess
LCIDToLocaleName
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
GetCurrentProcessId
QueryPerformanceCounter
Sleep
InterlockedExchange
GetCommandLineW
GetTempPathW
FileTimeToLocalFileTime
GetDateFormatW
GetTimeFormatW
FindResourceW
LoadResource
LockResource
OutputDebugStringA
GetSystemDirectoryW
LoadLibraryExW
CompareStringW
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
GetEnvironmentVariableW
FormatMessageW
lstrcmpW
GetComputerNameW
GetFullPathNameW
GetTempFileNameW
DeleteFileW
FileTimeToSystemTime
GetLocalTime
GetTickCount
GetComputerNameExW
WaitForSingleObject
DecodePointer
EncodePointer
GetSystemTimeAsFileTime
CompareFileTime
WriteFile
SetLastError
GetStdHandle
GetFileType
WriteConsoleW
OutputDebugStringW
GetSystemTime
SystemTimeToFileTime
IsDebuggerPresent
LoadLibraryExA
InterlockedCompareExchange
FreeLibrary
DelayLoadFailureHook
HeapFree
MultiByteToWideChar
WideCharToMultiByte
LeaveCriticalSection
EnterCriticalSection
DebugBreak
GetCurrentThreadId
GetVersionExW
lstrlenW
GetLastError
RaiseException
InterlockedIncrement
InterlockedDecrement
CloseHandle
GetCurrentProcess
LoadLibraryW
GetProcAddress
GetModuleHandleW
GetCurrentThread
GetModuleFileNameW
lstrcmpiW
InitializeCriticalSection
DeleteCriticalSection
DisableThreadLibraryCalls
LocalFree
LocalAlloc
LocalReAlloc
ReadFile
GetFileSize
CreateFileW
GetACP
UnregisterWait
HeapAlloc
GetProcessHeap
RegisterWaitForSingleObject
CreateEventW
DuplicateHandle

rpcrt4

RpcBindingSetAuthInfoW
RpcMgmtInqServerPrincNameW
RpcEpResolveBinding
RpcBindingFromStringBindingW
RpcStringBindingComposeW
RpcNetworkIsProtseqValidW
RpcBindingFree
RpcCancelThreadEx
NdrDllGetClassObject
NdrDllCanUnloadNow
NdrCStdStubBuffer_Release
NdrDllRegisterProxy
NdrDllUnregisterProxy
CStdStubBuffer_DebugServerRelease
CStdStubBuffer_DebugServerQueryInterface
CStdStubBuffer_CountRefs
CStdStubBuffer_IsIIDSupported
CStdStubBuffer_Invoke
CStdStubBuffer_Disconnect
CStdStubBuffer_Connect
CStdStubBuffer_AddRef
CStdStubBuffer_QueryInterface
IUnknown_Release_Proxy
IUnknown_AddRef_Proxy
IUnknown_QueryInterface_Proxy
NdrOleFree
NdrOleAllocate
UuidCreate
RpcBindingSetAuthInfoExA
NdrClientCall2
RpcStringFreeW

wldap32

ord41
ord224
ord140
ord26
ord210
ord73
ord145
ord13
ord14
ord36
ord79
ord155
ord142
ord113
ord65
ord10
ord21
ord40
ord194
ord12
ord27
ord203
ord69
ord147
ord133
ord18
ord16
ord167
ord127

Exports

Exports

CAAccessCheck
CAAccessCheckEx
CAAddCACertificateType
CAAddCACertificateTypeEx
CACertTypeAccessCheck
CACertTypeAccessCheckEx
CACertTypeAuthzAccessCheck
CACertTypeGetSecurity
CACertTypeQuery
CACertTypeRegisterQuery
CACertTypeSetSecurity
CACertTypeUnregisterQuery
CACloneCertType
CACloseCA
CACloseCertType
CACountCAs
CACountCertTypes
CACreateAutoEnrollmentObjectEx
CACreateCertType
CACreateLocalAutoEnrollmentObject
CACreateNewCA
CADCSetCertTypePropertyEx
CADeleteCA
CADeleteCAEx
CADeleteCertType
CADeleteCertTypeEx
CADeleteLocalAutoEnrollmentObject
CAEnumCertTypes
CAEnumCertTypesEx
CAEnumCertTypesForCA
CAEnumCertTypesForCAEx
CAEnumFirstCA
CAEnumNextCA
CAEnumNextCertType
CAFindByCertType
CAFindByIssuerDN
CAFindByName
CAFindCertTypeByName
CAFreeCAProperty
CAFreeCertTypeExtensions
CAFreeCertTypeProperty
CAGetCACertificate
CAGetCAExpiration
CAGetCAFlags
CAGetCAProperty
CAGetCASecurity
CAGetCertTypeExpiration
CAGetCertTypeExtensions
CAGetCertTypeExtensionsEx
CAGetCertTypeFlags
CAGetCertTypeFlagsEx
CAGetCertTypeKeySpec
CAGetCertTypeProperty
CAGetCertTypePropertyEx
CAGetConfigStringFromUIPicker
CAGetDN
CAInstallDefaultCertType
CAInstallDefaultCertTypeEx
CAIsCertTypeCurrent
CAIsCertTypeCurrentEx
CAOIDAdd
CAOIDAddEx
CAOIDCreateNew
CAOIDCreateNewEx
CAOIDDelete
CAOIDDeleteEx
CAOIDFreeLdapURL
CAOIDFreeProperty
CAOIDGetLdapURL
CAOIDGetProperty
CAOIDGetPropertyEx
CAOIDSetProperty
CAOIDSetPropertyEx
CARemoveCACertificateType
CARemoveCACertificateTypeEx
CASetCACertificate
CASetCAExpiration
CASetCAFlags
CASetCAProperty
CASetCASecurity
CASetCertTypeExpiration
CASetCertTypeExtension
CASetCertTypeFlags
CASetCertTypeFlagsEx
CASetCertTypeKeySpec
CASetCertTypeProperty
CASetCertTypePropertyEx
CAUpdateCA
CAUpdateCAEx
CAUpdateCertType
CAUpdateCertTypeEx
DllCanUnloadNow
DllGetClassObject
DllInstall
DllRegisterServer
DllUnregisterServer
GetProxyDllInfo

Sections

.text
Size: 295KB - Virtual size: 295KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.orpc
Size: 1024B - Virtual size: 714B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

5bdc4f0638549099fe06ceaae61dbb5e

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

atl

ntdll

advapi32

crypt32

kernel32

rpcrt4

wldap32

Exports

Exports

Sections

.text Size: 295KB - Virtual size: 295KB

.orpc Size: 1024B - Virtual size: 714B

.data Size: 10KB - Virtual size: 10KB

.rsrc Size: 11KB - Virtual size: 11KB

.reloc Size: 15KB - Virtual size: 14KB

.text
Size: 295KB - Virtual size: 295KB

.orpc
Size: 1024B - Virtual size: 714B

.data
Size: 10KB - Virtual size: 10KB

.rsrc
Size: 11KB - Virtual size: 11KB

.reloc
Size: 15KB - Virtual size: 14KB