devrtl[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

devrtl.dll
Size

68KB
MD5

fab2c64b1d4a554dc9a13888cc5f0d4f
SHA1

c7af28bad03408451ff877da13c4136481ca8c68
SHA256

efb8ea36f4c26583cb50bb95ce88b078c93239446ac73e30101d1a29a3004f53
SHA512

75143c2a6b39fb974f25b807e340c7d9874e7fbc3b29e2c4ee48bbc7c471f0f805ea7b7a8cf3f665c7d328af56d58db66834f67a571faaa11482a1b21d466617
SSDEEP

1536:t1wzWNc+FrshHqWIy8ul7bH+FRWr/npLRqUe:t2zW6+Fo9hIynlvH+vo/pve

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
devrtl.dll

Files

devrtl.dll
.dll windows:6 windows x64 arch:x64

984177355eff3b87a5ed792c7f004123

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

devrtl.pdb

Imports

msvcrt

_vsnwprintf
_vsnprintf
toupper
memcpy
wcsrchr
memmove
_XcptFilter
_resetstkoflw
_wcsicmp
__C_specific_handler
_initterm
malloc
free
_amsg_exit
wcschr
memset

ntdll

NtSetValueKey
NtQueryValueKey
NtCreateKey
NtOpenKey
RtlInitUnicodeString
NtClose
RtlFreeUnicodeString
RtlFormatCurrentUserKeyPath
NtSetInformationFile
NtQueryInformationFile
NtQuerySystemInformation
RtlMultiByteToUnicodeN
RtlMultiByteToUnicodeSize
RtlUnicodeToMultiByteN
RtlNtStatusToDosError
RtlUnicodeToMultiByteSize
RtlGetVersion
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext

api-ms-win-core-sysinfo-l1-2-1

GetSystemWindowsDirectoryW
GetSystemTimeAsFileTime
GetTickCount
GetLocalTime

api-ms-win-core-errorhandling-l1-1-1

RaiseException
SetUnhandledExceptionFilter
SetLastError
GetLastError
UnhandledExceptionFilter

api-ms-win-core-processthreads-l1-1-2

TlsAlloc
TlsFree
GetCurrentProcess
GetCurrentThreadId
TlsGetValue
GetCurrentProcessId
TlsSetValue
TerminateProcess

api-ms-win-core-synch-l1-2-0

CreateEventW
WaitForSingleObjectEx
WaitForMultipleObjectsEx
Sleep
SleepEx
SetEvent
CreateMutexW
ReleaseMutex

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-heap-obsolete-l1-1-0

LocalAlloc
LocalFree

api-ms-win-core-file-l1-2-1

GetFullPathNameW
GetFileAttributesW
SetEndOfFile
CreateDirectoryW
FindClose
FindNextFileW
SetFileAttributesW
CreateFileW
FindFirstFileW
GetFileInformationByHandle
SetFilePointer
GetFileSize
WriteFile
FileTimeToLocalFileTime
FlushFileBuffers
DeleteFileW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-file-l2-1-1

MoveFileExW
CreateHardLinkW
MoveFileWithProgressW

api-ms-win-core-libraryloader-l1-2-0

GetModuleFileNameA

api-ms-win-core-processenvironment-l1-2-0

GetCommandLineA

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime

api-ms-win-core-localization-l1-2-1

GetThreadLocale
FormatMessageW
LCMapStringW

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
CompareStringW

api-ms-win-core-io-l1-1-1

DeviceIoControl

api-ms-win-core-heap-l1-2-0

HeapFree
GetProcessHeap
HeapAlloc
HeapReAlloc

api-ms-win-core-memory-l1-1-2

UnmapViewOfFile
CreateFileMappingW
MapViewOfFile

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpW
lstrlenA
lstrlenW

Exports

Exports

DevRtlCloseTextLogSection
DevRtlCreateTextLogSectionA
DevRtlCreateTextLogSectionW
DevRtlGetThreadLogToken
DevRtlSetThreadLogToken
DevRtlWriteTextLog
DevRtlWriteTextLogError
NdxTableAddObject
NdxTableAddObjectToList
NdxTableClose
NdxTableFirstObject
NdxTableFirstObjectInList
NdxTableGetObjectName
NdxTableGetObjectType
NdxTableGetObjectTypeCount
NdxTableGetObjectTypeName
NdxTableGetPropertyTypeClass
NdxTableGetPropertyTypeCount
NdxTableGetPropertyTypeName
NdxTableGetPropertyValue
NdxTableNextObject
NdxTableObjectFromName
NdxTableObjectFromPointer
NdxTableOpen
NdxTableRemoveObject
NdxTableRemoveObjectFromList
NdxTableSetObjectPointer
NdxTableSetPropertyValue
NdxTableSetTypeDefinition

Sections

.text
Size: 55KB - Virtual size: 54KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 52B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

984177355eff3b87a5ed792c7f004123

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-synch-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-file-l1-2-1

api-ms-win-core-handle-l1-1-0

api-ms-win-core-file-l2-1-1

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-processenvironment-l1-2-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-localization-l1-2-1

api-ms-win-core-string-l1-1-0

api-ms-win-core-io-l1-1-1

api-ms-win-core-heap-l1-2-0

api-ms-win-core-memory-l1-1-2

api-ms-win-core-string-obsolete-l1-1-0

Exports

Exports

Sections

.text Size: 55KB - Virtual size: 54KB

.data Size: 512B - Virtual size: 1KB

.pdata Size: 4KB - Virtual size: 4KB

.idata Size: 5KB - Virtual size: 4KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 52B

.text
Size: 55KB - Virtual size: 54KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 4KB - Virtual size: 4KB

.idata
Size: 5KB - Virtual size: 4KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 52B