els[.]dll | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

els.dll
Size

233KB
MD5

eee8989512b6bfd12eb7404ad00e74f2
SHA1

47b5e4d02e0dadaed58d2f5f626f6661473a06f6
SHA256

3fba95ef568c3fec72705352d2077b17f66f1c92e17b67d41f61c1a92c5bf869
SHA512

a28f7be7b965e332569493093fb5b29949a4e2dc69c89631f9b9fa411309553ccf2a27706f21da4f61ab83e85e83a6af1b829aa447d8380efdeb14204d686acb
SSDEEP

6144:Qv0d4piq0mbhIOoId1ay4jV5QINlqJkcK:vdK0/JEUP

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
els.dll

Files

els.dll
.dll regsvr32 windows:6 windows x64 arch:x64

b7e5f5c02198311800b5dec444662139

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

els.pdb

Imports

msvcrt

wcschr
_purecall
_wcsupr
memmove_s
??0exception@@QEAA@AEBQEBD@Z
?what@exception@@UEBAPEBDXZ
??1exception@@UEAA@XZ
??0exception@@QEAA@AEBV0@@Z
memcpy_s
wcsncmp
wcsstr
_wcsnicmp
wcscpy_s
memmove
wcspbrk
_ultow
_itow
wcsrchr
_snwprintf_s
wcscat_s
qsort
swprintf_s
wcsspn
_vsnwprintf_s
towlower
??0exception@@QEAA@AEBQEBDH@Z
_callnewh
_CxxThrowException
??0exception@@QEAA@XZ
__CxxFrameHandler3
_XcptFilter
_amsg_exit
_initterm
__C_specific_handler
??1type_info@@UEAA@XZ
_lock
_unlock
__dllonexit
_onexit
?terminate@@YAXXZ
memcpy
memcmp
malloc
wcsncpy_s
_wcsicmp
_vsnwprintf
_wcslwr
wcstoul
free
memset

ntdll

RtlTimeToSecondsSince1970
RtlSecondsSince1970ToTime
RtlLengthSid
RtlLookupFunctionEntry
RtlVirtualUnwind
RtlCaptureContext

advapi32

RegDeleteValueW
RegEnumKeyExW
RegDeleteKeyW
RegConnectRegistryW
RegCreateKeyExW
IsValidSid
ReadEventLogW
OpenEventLogW
OpenBackupEventLogW
RegSetValueExW
GetNumberOfEventLogRecords
CloseEventLog
ClearEventLogW
BackupEventLogW
ConvertStringSidToSidW
GetLengthSid
LookupAccountSidW
RegCloseKey
RegOpenKeyExW
RegGetValueW
RegQueryValueExW
GetOldestEventLogRecord
EqualSid

kernel32

CloseHandle
FileTimeToLocalFileTime
GetLocalTime
GetWindowsDirectoryW
WideCharToMultiByte
HeapFree
GetProcessHeap
HeapAlloc
GetTimeZoneInformation
DisableThreadLibraryCalls
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSection
GetSystemDirectoryW
FileTimeToSystemTime
SystemTimeToFileTime
LocalFileTimeToFileTime
GetCurrentThreadId
GetComputerNameW
LoadLibraryExW
Sleep
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
QueryPerformanceCounter
GetCurrentProcessId
GetCommandLineW
DeleteFileW
GetFileAttributesExW
CreateFileW
WriteFile
GetDateFormatW
GetFileSize
GetTimeFormatW
GetTickCount
GetDriveTypeW
CreateThread
GetSystemTimeAsFileTime
GetLastError
lstrcmpiW
lstrlenW
LocalFree
lstrcmpW
ExpandEnvironmentStringsW
FormatMessageW
FreeLibrary
SetLastError
DeactivateActCtx
LoadLibraryW
GetProcAddress
ActivateActCtx
FindActCtxSectionStringW
CreateActCtxW
GetModuleFileNameW
GetModuleHandleExW
QueryActCtxW
OutputDebugStringA
GlobalFree
GetSystemWindowsDirectoryW
GlobalAlloc
GlobalLock
GlobalUnlock
GetLocaleInfoW
LocalAlloc

user32

LoadStringW
EnumThreadWindows
GetClassNameW
IsWindowEnabled
WinHelpW
LoadIconW
LoadBitmapW
LoadImageW
SetForegroundWindow
RegisterClipboardFormatW
SendMessageW
GetDlgItem
SetWindowPos
GetParent
FindWindowExW
SetWindowLongPtrW
GetWindowTextW
SetWindowTextW
GetDlgItemTextW
LoadCursorW
SetCursor
DestroyIcon
GetSysColor
CheckRadioButton
GetWindowRect
GetDC
ReleaseDC
GetSystemMetrics
EnableWindow
PostMessageW
OpenClipboard
EmptyClipboard
IsDlgButtonChecked
SetClipboardData
CloseClipboard
ShowWindow
SetDlgItemTextW
GetFocus
SetFocus
MessageBoxW
DefWindowProcW
CreateDialogParamW
GetWindowLongPtrW
DestroyWindow
GetClientRect
EndDialog
CharLowerBuffW
GetWindow
GetMessageW
IsDialogMessageW
TranslateMessage
DispatchMessageW
CheckDlgButton
PostQuitMessage
GetWindowTextLengthW
SetDlgItemInt
GetDlgItemInt
DialogBoxParamW
RegisterClassW
CreateWindowExW

gdi32

GetObjectW
GetTextMetricsW
SetMapMode
GetMapMode
DeleteObject
CreateFontIndirectW

ole32

ObjectStublessClient7
ObjectStublessClient6
CoCreateInstance
ReleaseStgMedium
CoUninitialize
CoInitialize
IIDFromString
CoGetInterfaceAndReleaseStream
CreateStreamOnHGlobal
CoTaskMemAlloc
CoMarshalInterThreadInterfaceInStream
ObjectStublessClient3
ObjectStublessClient5
ObjectStublessClient4

rpcrt4

CStdStubBuffer_IsIIDSupported
CStdStubBuffer_Disconnect
CStdStubBuffer_DebugServerRelease
IUnknown_AddRef_Proxy
CStdStubBuffer_QueryInterface
CStdStubBuffer_DebugServerQueryInterface
IUnknown_Release_Proxy
CStdStubBuffer_Invoke
NdrOleAllocate
NdrOleFree
IUnknown_QueryInterface_Proxy
CStdStubBuffer_AddRef
NdrDllGetClassObject
NdrDllCanUnloadNow
NdrCStdStubBuffer_Release
CStdStubBuffer_Connect
CStdStubBuffer_CountRefs

netutils

NetpwNameValidate
NetpwNameCanonicalize
NetApiBufferFree

dsrole

DsRoleGetPrimaryDomainInformation
DsRoleFreeMemory

logoncli

DsGetDcNameW

srvcli

NetShareGetInfo

wkscli

NetWkstaGetInfo

shlwapi

PathCombineW
PathRemoveBlanksW
wnsprintfW

shell32

ShellExecuteW
CommandLineToArgvW

ntdsapi

DsFreeSchemaGuidMapW
DsMapSchemaGuidsW
DsFreeNameResultW
DsCrackNamesW
DsBindW
DsUnBindW

version

VerQueryValueW
GetFileVersionInfoSizeW
GetFileVersionInfoW

activeds

ord15
ord20
ord9

mpr

WNetGetUniversalNameW

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 181KB - Virtual size: 180KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.orpc
Size: 512B - Virtual size: 151B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 972B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b7e5f5c02198311800b5dec444662139

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

advapi32

kernel32

user32

gdi32

ole32

rpcrt4

netutils

dsrole

logoncli

srvcli

wkscli

shlwapi

shell32

ntdsapi

version

activeds

mpr

Exports

Exports

Sections

.text Size: 181KB - Virtual size: 180KB

.orpc Size: 512B - Virtual size: 151B

.data Size: 12KB - Virtual size: 11KB

.pdata Size: 8KB - Virtual size: 8KB

.idata Size: 10KB - Virtual size: 9KB

.rsrc Size: 19KB - Virtual size: 19KB

.reloc Size: 1024B - Virtual size: 972B

.text
Size: 181KB - Virtual size: 180KB

.orpc
Size: 512B - Virtual size: 151B

.data
Size: 12KB - Virtual size: 11KB

.pdata
Size: 8KB - Virtual size: 8KB

.idata
Size: 10KB - Virtual size: 9KB

.rsrc
Size: 19KB - Virtual size: 19KB

.reloc
Size: 1024B - Virtual size: 972B