asp[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

asp.dll
Size

381KB
MD5

d3cc331b41eae49eae61657d8d5aeaea
SHA1

31ffabc2d959b5f64e8a4970be2dbbe8e0ae20e4
SHA256

c03a3347867ac50d14e9dc0243ba9878ef50f087706a00d3a26b61099711961d
SHA512

3f6a71f80e8ff8a551adefd403607869010ac1cab9a6112bb95fd01f76a8d79d25b413128677257db4cae2a88fe4582ac1fb06bf8e4f8ad313b3b10ba44e0cab
SSDEEP

6144:vYzHCWn4IfqAko60Y6GAxMWqhnQ9gBOSPiFZ+SAIAjTrB1w37OBRtnp7hh:Qb7dqk6L63CWqNzw37mRtnp7hh

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
asp.dll

Files

asp.dll
.dll regsvr32 windows:6 windows x86 arch:x86

207bda9ef95cce51980bf6871dfc35ed

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

asp.pdb

Imports

msvcrt

strtoul
strncmp
atoi
memset
memcpy
strcpy_s
_wcsupr
wcsstr
_wtoi
wcscpy_s
time
_onexit
_lock
__dllonexit
_unlock
_except_handler4_common
_amsg_exit
_initterm
_XcptFilter
_ismbbkana
_ultoa
isalnum
_wcslwr
_memicmp
memchr
strncat_s
_ultow
iswspace
iswalpha
_itoa
localtime
mktime
gmtime
atol
_ftol2_sse
difftime
memcpy_s
_strlwr
isxdigit
wcspbrk
malloc
free
_vsnprintf
_beginthreadex
memmove
rand
strstr
_mbsnicmp
_mbsupr
_wcsnicmp
strncpy_s
vsprintf_s
isleadbyte
_ltow
_ltoa
_mbstok
swprintf_s
srand
_wcsicmp
_stricmp
wcschr
_beginthread
_purecall
_strnicmp
strcat_s
sprintf_s
isdigit
wcsncmp
wcsrchr
wcsncpy_s
strchr
wcscat_s

atl

ord16
ord30
ord58
ord21

user32

MessageBoxA
CharNextExA
PeekMessageW
DispatchMessageW
MsgWaitForMultipleObjects
LoadStringA
LoadStringW
CharNextA
CharUpperBuffW
IsCharAlphaW
CharUpperA
CharPrevW
CharNextW

advapi32

InitializeAcl
SetThreadToken
OpenThreadToken
RegCloseKey
RegQueryValueExA
GetFileSecurityW
RegOpenKeyExA
SetSecurityInfo
SetEntriesInAclW
GetSecurityInfo
DeregisterEventSource
ReportEventA
RegisterEventSourceA
ReportEventW
RegisterEventSourceW
ImpersonateLoggedOnUser
CreateWellKnownSid
FreeSid
AllocateAndInitializeSid
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
AddAccessAllowedAce
GetLengthSid
CryptReleaseContext
CryptAcquireContextW
CryptGenRandom
SetNamedSecurityInfoA
GetSecurityDescriptorLength
GetSecurityDescriptorDacl
GetTokenInformation
GetKernelObjectSecurity
AccessCheck
EqualSid
RegQueryValueA
RegEnumKeyA
RevertToSelf

ole32

CoTaskMemFree
StringFromCLSID
CoUninitialize
CoInitializeEx
CoFreeUnusedLibraries
CoInitialize
CoCreateFreeThreadedMarshaler
CoCreateInstance
CoGetObjectContext
CLSIDFromString
CoWaitForMultipleHandles
CoTaskMemAlloc
CLSIDFromProgID
CoDisconnectObject

oleaut32

SysAllocStringLen
VariantTimeToDosDateTime
DosDateTimeToVariantTime
VariantCopy
LoadTypeLi
SafeArrayGetDim
SafeArrayGetLBound
SafeArrayGetUBound
VariantChangeTypeEx
UnRegisterTypeLi
DispGetIDsOfNames
CreateErrorInfo
SetErrorInfo
LoadTypeLibEx
VariantCopyInd
SystemTimeToVariantTime
SysAllocStringByteLen
SafeArrayCreate
SafeArrayAccessData
SafeArrayUnaccessData
LoadRegTypeLi
SysStringLen
SysAllocString
VariantChangeType
VariantClear
VariantInit
SysFreeString
GetErrorInfo

rpcrt4

UuidToStringW
UuidCreate
RpcStringFreeW

comsvcs

CoEnterServiceDomain
CoCreateActivity
CoLeaveServiceDomain

kernel32

HeapDestroy
HeapAlloc
HeapFree
HeapReAlloc
OpenEventA
ReleaseMutex
OpenFileMappingA
CreateFileMappingA
CreateEventW
OpenEventW
OpenMutexA
CreateMutexA
ExpandEnvironmentStringsA
IsDBCSLeadByteEx
InterlockedExchangeAdd
GetSystemDefaultLCID
RaiseException
WriteFile
CreateFileA
GetTempFileNameA
ReadFile
GetFileAttributesExW
GetFullPathNameW
ConvertDefaultLocale
CreateFileW
GetFileInformationByHandle
GetLongPathNameW
QueryPerformanceCounter
GetSystemTimeAsFileTime
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
ReadDirectoryChangesW
LocalReAlloc
HeapCreate
HeapSetInformation
InterlockedCompareExchange
ResetEvent
GetFileSize
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
IsValidLocale
GetSystemInfo
GlobalFree
GlobalAlloc
IsValidCodePage
GetACP
IsDBCSLeadByte
FreeLibrary
GetWindowsDirectoryW
LoadLibraryW
GetModuleFileNameW
GetModuleFileNameA
DisableThreadLibraryCalls
SetLastError
MultiByteToWideChar
FileTimeToSystemTime
WideCharToMultiByte
LocalAlloc
LocalFree
GetCurrentThread
GetFileAttributesA
MoveFileA
CreateDirectoryA
SetThreadPriority
FindFirstFileA
OpenProcess
DeleteFileA
FindNextFileA
FindClose
CompareFileTime
GetCurrentProcess
IsWow64Process
Wow64EnableWow64FsRedirection
RemoveDirectoryA
CreateEventA
ResumeThread
GetCPInfo
FormatMessageA
LoadLibraryExA
GetModuleHandleA
FormatMessageW
GetModuleHandleExW
OutputDebugStringA
GetThreadPriority
InterlockedIncrement
InterlockedDecrement
EnterCriticalSection
GetCurrentThreadId
LeaveCriticalSection
DeleteCriticalSection
GetLastError
WaitForSingleObject
SetEvent
CloseHandle
lstrlenW
GetTickCount
GetCurrentProcessId
InterlockedExchange
Sleep
CreateThread
WaitForMultipleObjects

crypt32

CryptDecodeObject
CertCreateCertificateContext
CertFreeCertificateContext

iisutil

?QueryStr@STRU@@QAEPAGXZ
?QueryCCH@STRU@@QBEIXZ
??1STRU@@QAE@XZ
??0STRU@@QAE@PAGK@Z
WriteRefTraceLog
?InsertRecord@CLKRHashTable@@QAE?AW4LK_RETCODE@@PBX_N@Z
?Resize@STRU@@QAEJK@Z
??1BUFFER@@QAE@XZ
?DeleteRecord@CLKRHashTable@@QAE?AW4LK_RETCODE@@PBX@Z
?FindKey@CLKRHashTable@@QBE?AW4LK_RETCODE@@KPAPBX@Z
??1CLKRHashTable@@QAE@XZ
??0BUFFER@@QAE@PAEI@Z
?QuerySize@BUFFER@@QBEIXZ
?Append@STRU@@QAEJPBG@Z
?SetLen@STRU@@QAEHK@Z
?QuerySizeCCH@STRU@@QBEIXZ
PuDbgPrintError
PuDeleteDebugPrintsObject
DestroyRefTraceLog
CreateRefTraceLog
PuLoadDebugFlagsFromRegStr
?ReadLock@CLKRHashTable@@QBEXXZ
PuCreateDebugPrintsObject
??0BUFFER@@QAE@I@Z
?Alloc@ALLOC_CACHE_HANDLER@@QAEPAXXZ
?Free@ALLOC_CACHE_HANDLER@@QAEHPAX@Z
??0ALLOC_CACHE_HANDLER@@QAE@PBDPBU_ALLOC_CACHE_CONFIGURATION@@H@Z
PuDbgPrint
IISInitializeCriticalSection
?QueryPtr@BUFFER@@QBEPAXXZ
??0CLKRHashTable@@QAE@PBDP6G?BKPBX@ZP6GKK@ZP6G_NKK@ZP6GX1H@ZNKK_N@Z
?Resize@BUFFER@@QAEHI@Z
??1ALLOC_CACHE_HANDLER@@UAE@XZ
ScheduleAdjustTime
RemoveWorkItem
ScheduleWorkItem
MakePathCanonicalizationProof
?QueryBuffer@STRU@@QAEPAVBUFFER@@XZ
?Copy@STRU@@QAEJPBG@Z
?WriteUnlock@CLKRHashTable@@QBEXXZ
?WriteLock@CLKRHashTable@@QAEXXZ
WriteRefTraceLogEx
?WriteLock@CSmallSpinLock@@QAEXXZ
?WriteUnlock@CSmallSpinLock@@QAEXXZ
?Size@CLKRHashTable@@QBEKXZ
?ReadUnlock@CLKRHashTable@@QBEXXZ
?SyncWithBuffer@STRU@@QAEXXZ

w3tp

ThreadPoolInitialize
ThreadPoolBindIoCompletionCallback
ThreadPoolTerminate

nativerd

GetDefaultNativeConfigurationSystem

Exports

Exports

AspStatusHtmlDump
DllRegisterServer
DllUnregisterServer
GetExtensionVersion
HttpExtensionProc
TerminateExtension

Sections

.text
Size: 327KB - Virtual size: 327KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 17KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 21KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 14KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

207bda9ef95cce51980bf6871dfc35ed

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

atl

user32

advapi32

ole32

oleaut32

rpcrt4

comsvcs

kernel32

crypt32

iisutil

w3tp

nativerd

Exports

Exports

Sections

.text Size: 327KB - Virtual size: 327KB

.data Size: 17KB - Virtual size: 20KB

.rsrc Size: 21KB - Virtual size: 21KB

.reloc Size: 14KB - Virtual size: 14KB

.text
Size: 327KB - Virtual size: 327KB

.data
Size: 17KB - Virtual size: 20KB

.rsrc
Size: 21KB - Virtual size: 21KB

.reloc
Size: 14KB - Virtual size: 14KB