TokenBroker[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

TokenBroker.dll
Size

1.3MB
MD5

ee01a0a1df4a93a39c1472d3ebd3e865
SHA1

eec00835843575a12ed5d35982deb98ade65a286
SHA256

bca9b1899dae42b0e375585effa3aa01fa8644ecfbd238e3f1b3235580a24b7c
SHA512

25f0441e75d0ab75edeb650a93e052c08fedd7b6a6e08d9cf7859ea593697a4f204a914959823ddb03a39b55300e5f8840b90576bc6db16d58dba4841dcda0c5
SSDEEP

24576:yHavTyWkXpL8ECY7shfJYEcTr+10GANvK4mNZ0UVz7INEUtq0l+ALm5V:Ua7yWkX1tCaEiq10or96qGri5V

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
TokenBroker.dll

Files

TokenBroker.dll
.dll windows:10 windows x86 arch:x86

974c453836736f5dc5e63817657b231b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

TokenBroker.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

_initterm_e
_initterm

api-ms-win-crt-private-l1-1-0

_o__fseeki64
_o__initialize_narrow_environment
_o__initialize_onexit_table
_o__invalid_parameter_noinfo
_o__invalid_parameter_noinfo_noreturn
_o__itow_s
_o__lock_file
_o__purecall
_o__register_onexit_function
_o__seh_filter_dll
_o__unlock_file
_o__wcsicmp
_o__wcsnicmp
memmove
_o__wsplitpath_s
_o_ceil
_o_fclose
_o_fflush
_o_fgetc
_o_fgetpos
_o_fgetwc
_o_fputwc
_o_free
_o_fsetpos
_o_fwrite
_o_iswspace
_o_malloc
_o_realloc
_o_setvbuf
_o_terminate
_o_tolower
_o_towlower
_o_ungetc
_o_ungetwc
_o_wcscat_s
_o_wcscpy_s
_o_wcsncpy_s
_o_wcstoul
__current_exception
__current_exception_context
_except_handler4_common
_CxxThrowException
_o__errno
_o__cexit
_o__callnewh
_o__crt_atexit
__std_terminate
_o___stdio_common_vswprintf
_o___stdio_common_vsnprintf_s
_o___std_type_info_destroy_list
_o__configure_narrow_argv
_o___std_exception_destroy
_o___std_exception_copy
_o__execute_onexit_table
wcsstr
__CxxFrameHandler3
memcmp
memcpy

api-ms-win-crt-string-l1-1-0

memset
wcscspn

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW
GetModuleFileNameA
FreeLibrary
GetModuleHandleExW
GetProcAddress
GetModuleHandleExA

api-ms-win-security-base-l1-1-0

GetSidSubAuthority
GetTokenInformation
IsWellKnownSid
FreeSid
AllocateAndInitializeSid
InitializeSid
GetSidLengthRequired
MakeAbsoluteSD
GetLengthSid
SetTokenInformation
CreateWellKnownSid
ImpersonateLoggedOnUser
AccessCheck
DuplicateTokenEx
RevertToSelf

api-ms-win-core-synch-l1-2-0

WakeByAddressAll
InitOnceComplete
InitOnceBeginInitialize
Sleep
InitOnceExecuteOnce

api-ms-win-core-processthreads-l1-1-0

GetCurrentThread
SetThreadToken
OpenProcessToken
OpenThreadToken
TlsAlloc
GetCurrentThreadId
GetCurrentProcessId
TlsSetValue
TlsFree
InitializeProcThreadAttributeList
TlsGetValue
CreateProcessAsUserW
UpdateProcThreadAttribute
DeleteProcThreadAttributeList
GetCurrentProcess
TerminateProcess
GetProcessId

api-ms-win-core-synch-l1-1-0

InitializeSRWLock
EnterCriticalSection
CreateEventExW
ReleaseSemaphore
LeaveCriticalSection
InitializeCriticalSectionEx
CreateSemaphoreExW
WaitForSingleObject
TryAcquireSRWLockExclusive
ReleaseMutex
CreateEventW
ReleaseSRWLockExclusive
SetEvent
AcquireSRWLockExclusive
WaitForSingleObjectEx
OpenSemaphoreW
AcquireSRWLockShared
CreateMutexExW
WaitForMultipleObjectsEx
ReleaseSRWLockShared
DeleteCriticalSection

api-ms-win-core-heap-l1-1-0

HeapFree
GetProcessHeap
HeapAlloc

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
RaiseException
SetUnhandledExceptionFilter
SetLastError
GetLastError

api-ms-win-core-winrt-string-l1-1-0

WindowsCompareStringOrdinal
WindowsDeleteString
WindowsDuplicateString
WindowsGetStringLen
WindowsConcatString
WindowsGetStringRawBuffer
WindowsCreateStringReference
WindowsIsStringEmpty
WindowsStringHasEmbeddedNull
WindowsCreateString
WindowsSubstringWithSpecifiedLength

api-ms-win-security-sddl-l1-1-0

ConvertStringSidToSidW
ConvertSidToStringSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW

api-ms-win-core-util-l1-1-0

DecodePointer
EncodePointer

api-ms-win-core-threadpool-l1-2-0

CloseThreadpool
SubmitThreadpoolWork
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CreateThreadpoolTimer
CloseThreadpoolTimer
FreeLibraryWhenCallbackReturns
CreateThreadpoolWork
CloseThreadpoolWork
CreateThreadpool

api-ms-win-core-winrt-l1-1-0

RoActivateInstance
RoInitialize
RoUninitialize
RoRegisterActivationFactories
RoGetActivationFactory
RoRevokeActivationFactories

api-ms-win-core-winrt-error-l1-1-0

RoOriginateError
RoOriginateErrorW
RoTransformError
SetRestrictedErrorInfo
GetRestrictedErrorInfo

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
DebugBreak
OutputDebugStringW

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-service-core-l1-1-0

SetServiceStatus
RegisterServiceCtrlHandlerExW

api-ms-win-eventing-provider-l1-1-0

EventActivityIdControl
EventWriteTransfer
EventRegister
EventUnregister
EventSetInformation

api-ms-win-core-processthreads-l1-1-1

OpenProcess
IsProcessorFeaturePresent

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemDirectoryW
GetTickCount64
GetSystemTimeAsFileTime
GetTickCount

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead
InterlockedPushEntrySList

api-ms-win-core-registry-l1-1-0

RegSetValueExW
RegGetValueW
RegQueryInfoKeyW
RegCreateKeyExW
RegDeleteValueW
RegCloseKey
RegEnumKeyExW
RegOpenKeyExW
RegQueryValueExW

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-core-processenvironment-l1-1-0

GetEnvironmentVariableW
ExpandEnvironmentStringsW

api-ms-win-core-file-l1-1-0

WriteFile
SetFilePointer
CompareFileTime
CreateFileW
FindFirstFileW
SetEndOfFile
FindNextFileW
ReadFile
GetFileSizeEx
SetFileInformationByHandle
GetFileTime
CreateDirectoryW
FindClose

api-ms-win-core-winrt-error-l1-1-1

RoReportFailedDelegate
RoGetMatchingRestrictedErrorInfo
IsErrorPropagationEnabled

api-ms-win-core-sysinfo-l1-2-0

GetProductInfo

api-ms-win-core-string-l1-1-0

CompareStringOrdinal

api-ms-win-core-threadpool-legacy-l1-1-0

QueueUserWorkItem

ntdll

RtlInitializeResource
RtlAcquireResourceExclusive
RtlDeleteResource
ZwQueryWnfStateData
RtlNtStatusToDosError
RtlDosPathNameToRelativeNtPathName_U
RtlReleaseRelativeName
NtClose
NtCreateFile
NtQueryWnfStateData
RtlEqualSid
RtlFreeSid
RtlSetEnvironmentVar
RtlIdentifierAuthoritySid
RtlSubAuthorityCountSid
RtlIsMultiSessionSku
RtlPublishWnfStateData
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlSubscribeWnfStateChangeNotification
RtlUnsubscribeWnfStateChangeNotification
RtlQueryWnfStateData
RtlQueryPackageClaims
RtlGetDeviceFamilyInfoEnum
RtlIsMultiUsersInSessionSku
wcsnlen
DbgPrint
RtlLoadString
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockExclusive
RtlWakeAllConditionVariable
RtlSleepConditionVariableSRW
RtlFreeHeap
NtQueryInformationToken
RtlAllocateHeap
RtlCompareUnicodeString
RtlReleaseResource

api-ms-win-core-registry-l2-1-0

RegOpenKeyW

tokenbinding

TokenBindingGenerateIDForUri

api-ms-win-security-capability-l1-1-0

CapabilityCheck

api-ms-win-core-shlwapi-legacy-l1-1-0

PathFindFileNameW
PathFileExistsW

api-ms-win-shcore-taskpool-l1-1-0

SHTaskPoolAllowThreadReuse
SHTaskPoolQueueTask

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

combase

ord167
ord140
ord90
ord157
ord69
ord184
ord68
ord66
ord168
ord67

api-ms-win-appmodel-runtime-l1-1-1

GetPackageFullNameFromToken
GetPackageFamilyNameFromToken

rmclient

RmAccessCheck

msvcp_win

?rdbuf@?$basic_ios@GU?$char_traits@G@std@@@std@@QBEPAV?$basic_streambuf@GU?$char_traits@G@std@@@2@XZ
?fill@?$basic_ios@GU?$char_traits@G@std@@@std@@QBEGXZ
??1?$basic_ostream@GU?$char_traits@G@std@@@std@@UAE@XZ
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV01@K@Z
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV01@_K@Z
?getloc@ios_base@std@@QBE?AVlocale@2@XZ
?width@ios_base@std@@QAE_J_J@Z
?width@ios_base@std@@QBE_JXZ
?flags@ios_base@std@@QBEHXZ
?good@ios_base@std@@QBE_NXZ
?_Getcat@?$ctype@G@std@@SAIPAPBVfacet@locale@2@PBV42@@Z
?widen@?$ctype@G@std@@QBEGD@Z
?_Getcat@?$codecvt@GDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z
?unshift@?$codecvt@GDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD@Z
?out@?$codecvt@GDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBG1AAPBGPAD3AAPAD@Z
?in@?$codecvt@GDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAG3AAPAG@Z
?always_noconv@codecvt_base@std@@QBE_NXZ
??Bid@locale@std@@QAEIXZ
?_Throw_C_error@std@@YAXH@Z
?_Throw_Cpp_error@std@@YAXH@Z
_Mtx_lock
_Mtx_unlock
_Cnd_broadcast
_Mtx_current_owns
_Cnd_timedwait
_Query_perf_counter
_Query_perf_frequency
?setstate@?$basic_ios@GU?$char_traits@G@std@@@std@@QAEXH_N@Z
?_Xlength_error@std@@YAXPBD@Z
??1?$basic_ios@GU?$char_traits@G@std@@@std@@UAE@XZ
?imbue@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAEXABVlocale@2@@Z
?sync@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAEHXZ
?setbuf@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAEPAV12@PAG_J@Z
?xsputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAE_JPBG_J@Z
?_Xout_of_range@std@@YAXPBD@Z
_Mtx_init_in_situ
_Mtx_destroy_in_situ
_Cnd_init_in_situ
?xsgetn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAE_JPAG_J@Z
_Cnd_destroy_in_situ
?_Xbad_function_call@std@@YAXXZ
??0_Lockit@std@@QAE@H@Z
??1_Lockit@std@@QAE@XZ
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ
?uncaught_exception@std@@YA_NXZ
?uflow@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAEGXZ
?showmanyc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAE_JXZ
?_Unlock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UAEXXZ
?_Lock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UAEXXZ
?sputc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QAEGG@Z
??1?$basic_streambuf@GU?$char_traits@G@std@@@std@@UAE@XZ
?_Fiopen@std@@YAPAU_iobuf@@PBGHH@Z
?id@?$codecvt@GDU_Mbstatet@@@std@@2V0locale@2@A
?id@?$ctype@G@std@@2V0locale@2@A
?flush@?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV12@XZ
?sputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QAE_JPBG_J@Z
?_Osfx@?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEXXZ
??0?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAE@XZ
??0?$basic_ostream@GU?$char_traits@G@std@@@std@@QAE@PAV?$basic_streambuf@GU?$char_traits@G@std@@@1@_N@Z
?getloc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QBE?AVlocale@2@XZ
?pbase@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IBEPAGXZ
_Xtime_get_ticks
?setp@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAEXPAG0@Z
?_Init@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAEXXZ
??0?$basic_ios@GU?$char_traits@G@std@@@std@@IAE@XZ
?tie@?$basic_ios@GU?$char_traits@G@std@@@std@@QBEPAV?$basic_ostream@GU?$char_traits@G@std@@@2@XZ
?_Pninc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAEPAGXZ
?setp@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAEXPAG00@Z
?_Gninc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAEPAGXZ
?_Gndec@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAEPAGXZ
?epptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IBEPAGXZ
?setg@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAEXPAG00@Z
?gbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAEXH@Z
?egptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IBEPAGXZ
?pptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IBEPAGXZ
?gptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IBEPAGXZ
?eback@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IBEPAGXZ

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW

api-ms-win-eventing-classicprovider-l1-1-0

TraceMessage

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-security-base-l1-2-0

CheckTokenMembershipEx

api-ms-win-core-synch-l1-2-1

CreateSemaphoreW

api-ms-win-core-string-l2-1-0

CharLowerW

api-ms-win-core-winrt-propertysetprivate-l1-1-1

RoCreatePropertySetSerializer

api-ms-win-core-largeinteger-l1-1-0

MulDiv

api-ms-win-shcore-stream-winrt-l1-1-0

CreateRandomAccessStreamOverStream
CreateStreamOverRandomAccessStream

api-ms-win-service-private-l1-1-0

I_QueryTagInformation

api-ms-win-security-base-private-l1-1-1

CreateAppContainerToken

api-ms-win-appmodel-state-l1-2-0

OpenStateExplicit
GetStateRootFolder
CloseState

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW

Exports

Exports

ServiceMain

Sections

.text
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1024B - Virtual size: 556B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 73KB - Virtual size: 73KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

974c453836736f5dc5e63817657b231b

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-private-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-service-core-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-threadpool-legacy-l1-1-0

ntdll

api-ms-win-core-registry-l2-1-0

tokenbinding

api-ms-win-security-capability-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-shcore-taskpool-l1-1-0

api-ms-win-core-apiquery-l1-1-0

combase

api-ms-win-appmodel-runtime-l1-1-1

rmclient

msvcp_win

api-ms-win-core-psapi-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-security-base-l1-2-0

api-ms-win-core-synch-l1-2-1

api-ms-win-core-string-l2-1-0

api-ms-win-core-winrt-propertysetprivate-l1-1-1

api-ms-win-core-largeinteger-l1-1-0

api-ms-win-shcore-stream-winrt-l1-1-0

api-ms-win-service-private-l1-1-0

api-ms-win-security-base-private-l1-1-1

api-ms-win-appmodel-state-l1-2-0

api-ms-win-core-libraryloader-l1-2-1

Exports

Exports

Sections

.text Size: 1.2MB - Virtual size: 1.2MB

.data Size: 2KB - Virtual size: 5KB

.idata Size: 16KB - Virtual size: 16KB

.didat Size: 1024B - Virtual size: 556B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 73KB - Virtual size: 73KB

.text
Size: 1.2MB - Virtual size: 1.2MB

.data
Size: 2KB - Virtual size: 5KB

.idata
Size: 16KB - Virtual size: 16KB

.didat
Size: 1024B - Virtual size: 556B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 73KB - Virtual size: 73KB