certocm[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

certocm.dll
Size

775KB
MD5

7a9636b51723d68e6cf21bb8b8bb3e35
SHA1

4c5b96c4607b515496646b35263786ca1af6c563
SHA256

55edd63d07ca5cee8f1fef2d7459f1062287200339c3c7a5b5b516a256c72264
SHA512

ca3ab246278f8384c4779560d8daa0be9ec47b34064e07612a4976f209cb4d23fdbc96fa38e6d70f23815ea2df6b6b9a6fddf31212812d222ffea318ef32dbb1
SSDEEP

12288:ypAqNptP5yzb+6fb8z4BCcaojkn8fMfNcf0GkWqLWXfBvicuGOGJEI:ypHptIPbfbk7ojkKO6fkWSuJvi5aEI

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
certocm.dll

Files

certocm.dll
.dll regsvr32 windows:6 windows x64 arch:x64

793e37ce5b366dd5e803fbabda809247

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

certocm.pdb

Imports

msvcrt

__dllonexit
_unlock
_lock
??1type_info@@UEAA@XZ
realloc
_errno
?terminate@@YAXXZ
_initterm
_amsg_exit
_XcptFilter
__CxxFrameHandler3
_CxxThrowException
_callnewh
??0exception@@QEAA@AEBQEBDH@Z
__C_specific_handler
memset
_wcslwr
iswspace
??0exception@@QEAA@XZ
memmove_s
_onexit
??1exception@@UEAA@XZ
?what@exception@@UEBAPEBDXZ
??0exception@@QEAA@AEBV0@@Z
?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z
wcsncmp
_wcsnicmp
memmove
wcsstr
iswdigit
_wtoi
wcsncpy_s
_wcsicmp
wcscat_s
wcscpy_s
_wputenv
_ultow
_vsnwprintf
wcschr
wcscspn
wcsrchr
memcpy_s
_purecall
_vsnprintf
??0exception@@QEAA@AEBQEBD@Z
__isascii
isxdigit
swscanf
iswalpha
iswxdigit
_itow
_wgetenv
strchr
getenv
__iob_func
fflush
fprintf
vfwprintf
strcspn
fclose
fopen
fseek
ftell
fwrite
_wfopen
fgetc
feof
fgetws
fgets
isdigit
atoi
strncmp
fputws
ferror
_wfopen_s
fwprintf
bsearch
memcpy
wcscmp
memcmp
malloc
free
strcmp

api-ms-win-security-lsalookup-l1-1-1

LookupAccountNameLocalW

certca

ord602
ord601
ord819
ord801
ord847
ord708
ord820
ord823
ord705
ord839
ord840
ord841
ord842
ord704
ord802
ord809
ord464
ord813
ord463
ord401
ord412
ord410
ord413
ord414
ord415
ord408
ord430
ord435
ord426
ord407
ord467
ord468
ord437
ord444
ord451
ord453
ord406
ord431
ord416
ord417
ord421
ord404
ord808
ord814
ord707
ord703

comdlg32

GetOpenFileNameW
CommDlgExtendedError

credui

CredUIParseUserNameW

ncrypt

BCryptFreeBuffer
NCryptFreeObject
NCryptIsKeyHandle
NCryptOpenStorageProvider
NCryptEnumAlgorithms
NCryptEnumKeys
NCryptEnumStorageProviders
NCryptFreeBuffer
NCryptOpenKey
NCryptCreatePersistedKey
NCryptGetProperty
NCryptSetProperty
NCryptFinalizeKey
NCryptEncrypt
NCryptDecrypt
NCryptImportKey
NCryptExportKey
NCryptSignHash
NCryptVerifySignature
NCryptDeleteKey
NCryptSecretAgreement
NCryptDeriveKey
BCryptOpenAlgorithmProvider
BCryptEnumAlgorithms
BCryptGetProperty
BCryptSetProperty
BCryptCloseAlgorithmProvider
BCryptGenRandom
BCryptDestroyHash
BCryptFinishHash
BCryptHashData
BCryptCreateHash
BCryptVerifySignature
BCryptSignHash
BCryptDestroyKey
BCryptExportKey
BCryptDecrypt
BCryptEncrypt

netutils

NetApiBufferFree

logoncli

DsGetDcNameW

samcli

NetUserModalsGet
NetLocalGroupAdd
NetLocalGroupDel
NetLocalGroupAddMembers

srvcli

NetShareGetInfo
NetShareDel
NetShareAdd

ntdll

RtlInitUnicodeString
RtlNtStatusToDosError
RtlVirtualUnwind
RtlCaptureContext
RtlLookupFunctionEntry

setupapi

SetupFindFirstLineW
SetupGetLineCountW
SetupOpenInfFileW
SetupCloseInfFile
SetupGetFieldCount
SetupFindNextLine
SetupGetStringFieldW
SetupGetIntField

shell32

SHCreateItemFromParsingName

userenv

ord104
ord122

shlwapi

StrRStrIW

wldap32

ord16
ord18
ord13
ord210
ord36
ord41
ord203
ord26
ord142
ord79
ord155
ord208
ord140
ord224
ord120
ord65
ord97
ord127
ord147
ord167
ord122
ord12

dsrole

DsRoleGetPrimaryDomainInformation
DsRoleFreeMemory

advapi32

SetSecurityDescriptorSacl
CryptSetKeyParam
CryptSetHashParam
CryptDuplicateKey
CryptContextAddRef
AddAccessDeniedAce
AddAccessDeniedObjectAce
ConvertStringSecurityDescriptorToSecurityDescriptorW
AdjustTokenPrivileges
LsaLookupNames2
GetSecurityDescriptorSacl
GetSecurityDescriptorOwner
SetSecurityDescriptorGroup
GetSecurityDescriptorGroup
ImpersonateSelf
CryptDuplicateHash
CryptDecrypt
CryptEncrypt
CryptExportKey
RegSetKeySecurity
RegDeleteKeyExW
CryptGetKeyParam
CryptEnumProvidersA
CryptGenKey
CryptVerifySignatureW
CryptSignHashW
CryptGenRandom
CryptImportKey
CryptGetUserKey
CryptDestroyKey
RevertToSelf
LookupAccountSidW
CreateWellKnownSid
ConvertSidToStringSidW
CopySid
LsaClose
LsaFreeMemory
LsaQueryInformationPolicy
LsaOpenPolicy
CryptDestroyHash
CryptGetHashParam
CryptHashData
CryptCreateHash
SetFileSecurityW
DeleteAce
SetSecurityDescriptorOwner
GetSecurityDescriptorLength
SetNamedSecurityInfoW
SetEntriesInAclW
GetNamedSecurityInfoW
LookupAccountNameW
MakeSelfRelativeSD
AddAccessAllowedObjectAce
MakeAbsoluteSD
GetSecurityDescriptorControl
EqualSid
CryptSetProvParam
IsValidSecurityDescriptor
SetSecurityDescriptorControl
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
AddAccessAllowedAce
AddAce
GetAce
InitializeAcl
GetLengthSid
GetAclInformation
GetSecurityDescriptorDacl
AccessCheck
ConvertStringSidToSidW
LogonUserW
GetTokenInformation
RegDeleteKeyW
CryptAcquireContextW
CryptEnumProvidersW
FreeSid
AllocateAndInitializeSid
CheckTokenMembership
DuplicateToken
OpenProcessToken
OpenThreadToken
GetSidSubAuthority
GetSidIdentifierAuthority
InitializeSid
GetSidLengthRequired
GetSidSubAuthorityCount
CryptReleaseContext
CryptGetProvParam
RegQueryValueExW
ChangeServiceConfig2W
ChangeServiceConfigW
QueryServiceConfigW
ControlService
QueryServiceStatus
StartServiceW
OpenServiceW
OpenSCManagerW
CloseServiceHandle
RegSetValueExW
RegCloseKey
RegEnumKeyExW
RegOpenKeyExW
RegDeleteValueW
RegQueryInfoKeyW
RegCreateKeyExW

crypt32

CryptHashCertificate
CryptSignCertificate
CryptDecodeObjectEx
CryptEncodeObjectEx
CryptSignAndEncodeCertificate
CertGetCertificateContextProperty
CertComparePublicKeyInfo
CertCompareCertificateName
CertAddCertificateContextToStore
CertAddEncodedCertificateToStore
CertFreeCertificateChain
CertGetCertificateChain
CryptDecodeObject
CertCreateCertificateContext
CryptAcquireCertificatePrivateKey
CryptQueryObject
CertFindExtension
CertGetPublicKeyLength
CryptExportPublicKeyInfo
CertVerifySubjectCertificateContext
CryptFindOIDInfo
CertDeleteCertificateFromStore
CertFindCertificateInStore
CertOpenStore
CertSetCertificateContextProperty
CertEnumCertificatesInStore
CertCloseStore
CryptInitOIDFunctionSet
CryptGetOIDFunctionAddress
CryptFreeOIDFunctionAddress
CryptImportPublicKeyInfo
CryptEnumOIDInfo
CryptFormatObject
CertVerifyCertificateChainPolicy
PFXImportCertStore
CertStrToNameW
CertNameToStrW
CertGetCRLContextProperty
PFXIsPFXBlob
CryptImportPublicKeyInfoEx2
CryptStringToBinaryW
CertDuplicateCertificateContext
CertFreeCertificateContext

kernel32

GetUserDefaultUILanguage
GetSystemDefaultUILanguage
SearchPathW
FindResourceExW
FreeLibrary
LoadResource
LoadLibraryExW
GetModuleHandleW
InitializeCriticalSection
SizeofResource
LeaveCriticalSection
GetModuleFileNameW
ResetEvent
CreateEventW
GetCommandLineW
GetTempPathW
WriteConsoleW
GetLocalTime
LockResource
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
FoldStringW
RemoveDirectoryW
MoveFileExW
GetFileType
GetStdHandle
GetComputerNameW
SetEvent
MultiByteToWideChar
RaiseException
GetLastError
GetProcAddress
GetTempFileNameW
GetFullPathNameW
GetTimeFormatW
GetDateFormatW
FileTimeToLocalFileTime
GetSystemTime
SystemTimeToFileTime
FileTimeToSystemTime
GetACP
FormatMessageW
OutputDebugStringA
EnterCriticalSection
GetCurrentProcessId
QueryPerformanceCounter
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
CompareStringW
GetEnvironmentVariableW
GetTickCount
WideCharToMultiByte
FindResourceW
FindClose
FindNextFileW
FindFirstFileW
GetWindowsDirectoryW
GetSystemWow64DirectoryW
GetExitCodeThread
WaitForSingleObject
CreateThread
SetLastError
GetComputerNameExW
GetVersionExW
LocalReAlloc
GetCurrentProcess
GetCurrentThread
GetLocaleInfoW
HeapAlloc
HeapFree
GetProcessHeap
GetCurrentThreadId
OpenEventW
CreateDirectoryW
GetFileAttributesW
Sleep
CompareFileTime
lstrcmpW
GetSystemDirectoryW
GetSystemTimeAsFileTime
SetThreadLocale
GetThreadLocale
DisableThreadLibraryCalls
CloseHandle
CreateFileW
MoveFileW
DeleteFileW
LocalAlloc
LocalFree
WriteFile
lstrlenA
DeleteCriticalSection
lstrcmpiW

ole32

StringFromCLSID
CoSetProxyBlanket
CLSIDFromProgID
CoCreateInstanceEx
CoTaskMemRealloc
CoTaskMemFree
CoTaskMemAlloc
StringFromGUID2
CoCreateInstance
CoInitialize
CoInitializeEx
CLSIDFromString
CoUninitialize

oleaut32

SysStringByteLen
SetErrorInfo
CreateErrorInfo
GetErrorInfo
SysAllocStringByteLen
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayGetLBound
SafeArrayGetDim
SafeArrayGetUBound
SafeArrayGetElement
SafeArrayRedim
VarBstrCat
SysAllocStringLen
SafeArrayDestroy
SafeArrayPutElement
SafeArrayCreate
VariantCopyInd
VariantCopy
UnRegisterTypeLi
RegisterTypeLi
SysAllocString
LoadRegTypeLi
SysFreeString
VarUI4FromStr
VariantInit
SysStringLen
VariantClear
LoadTypeLi

rpcrt4

UuidCreate

secur32

GetComputerObjectNameW

user32

SendMessageW
MessageBoxW
LoadCursorW
SetCursor
GetWindowTextW
CharNextW
CharLowerW
UnregisterClassA
LoadStringW
DialogBoxParamW
GetDlgItem
EndDialog
SetFocus
SetWindowTextW

wininet

InternetCanonicalizeUrlW

Exports

Exports

CESSetAppPoolCredentials
CertSrvSetupImportPFX
CertSrvSetupImportPFX2
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
DoServerUpgrade
MscepSetupSetAccountInformation

Sections

.text
Size: 700KB - Virtual size: 700KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

793e37ce5b366dd5e803fbabda809247

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

api-ms-win-security-lsalookup-l1-1-1

certca

comdlg32

credui

ncrypt

netutils

logoncli

samcli

srvcli

ntdll

setupapi

shell32

userenv

shlwapi

wldap32

dsrole

advapi32

crypt32

kernel32

ole32

oleaut32

rpcrt4

secur32

user32

wininet

Exports

Exports

Sections

.text Size: 700KB - Virtual size: 700KB

.data Size: 10KB - Virtual size: 13KB

.pdata Size: 18KB - Virtual size: 17KB

.idata Size: 17KB - Virtual size: 17KB

.rsrc Size: 23KB - Virtual size: 22KB

.reloc Size: 5KB - Virtual size: 4KB

.text
Size: 700KB - Virtual size: 700KB

.data
Size: 10KB - Virtual size: 13KB

.pdata
Size: 18KB - Virtual size: 17KB

.idata
Size: 17KB - Virtual size: 17KB

.rsrc
Size: 23KB - Virtual size: 22KB

.reloc
Size: 5KB - Virtual size: 4KB