certocm[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

certocm.dll
Size

582KB
MD5

583d6351274afe214a310ffb44b47c87
SHA1

e1bce98762019015daa22c8256083de58c4309bc
SHA256

44f5970642333425dcc7b5c91f5b6c8baba3b299af803e8612ad35134b93171b
SHA512

0c91ad0cf139a017e44e478aef673cf0a46d275a90c55280c9c21bbd878984510260abcb07d3e6f10789c1acc4f166df77402bd95fbbfa6593393a319cde29de
SSDEEP

6144:JAXlX8v5R9Jn793Vt9cNYPrNFfMJxXA+CxYz3ua1b3lat8CMMmOpy7kfORsTLA3v:JA6vFXllCA+Cxe3uqT/1OpcsDrU

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
certocm.dll

Files

certocm.dll
.dll regsvr32 windows:6 windows x86 arch:x86

40a191f3dd2efec68e46d1acf63fe577

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

certocm.pdb

Imports

msvcrt

_initterm
_XcptFilter
_callnewh
_wcslwr
iswspace
??0exception@@QAE@XZ
memmove_s
??0exception@@QAE@ABV0@@Z
?what@exception@@UBEPBDXZ
??0exception@@QAE@ABQBD@Z
??1exception@@UAE@XZ
?_set_se_translator@@YAP6AXIPAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z
wcsncmp
_wcsnicmp
memmove
wcsstr
iswdigit
_wtoi
_wcsicmp
_ultow
_wputenv
wcscat_s
wcscpy_s
wcsrchr
memcpy
wcschr
_vsnwprintf
wcscspn
__dllonexit
_lock
_onexit
_except_handler4_common
_amsg_exit
memset
_purecall
swscanf
isxdigit
__isascii
realloc
_vsnprintf
iswxdigit
_itow
_wgetenv
getenv
strchr
vfwprintf
__iob_func
fprintf
strcspn
fflush
fclose
fwrite
ftell
fseek
fopen
feof
fgetc
_wfopen
fgets
fgetws
atoi
isdigit
ferror
fputws
fwprintf
_wfopen_s
?terminate@@YAXXZ
??1type_info@@UAE@XZ
bsearch
__CxxFrameHandler3
wcsncpy_s
_CxxThrowException
memcpy_s
free
_errno
iswalpha
_unlock
malloc

api-ms-win-security-lsalookup-l1-1-0

LookupAccountNameLocalW

certcli

ord242
ord208
ord253
ord206
ord252
ord209
ord260
ord254
ord256
ord207
ord203
ord247
CACreateNewCA
CASetCAFlags
CAGetCACertificate
CASetCACertificate
CASetCASecurity
CAEnumFirstCA
ord223
CAGetCertTypeExtensions
CAFreeCertTypeExtensions
CAGetCAFlags
CAFindCertTypeByName
CAAddCACertificateType
CAUpdateCA
CACertTypeGetSecurity
CACertTypeSetSecurity
CAUpdateCertType
CACloseCertType
CAGetCAProperty
CAFreeCAProperty
CASetCAProperty
CAUpdateCAEx
CADeleteCAEx
CAFindByName
CACloseCA
CAInstallDefaultCertTypeEx
CAInstallDefaultCertType
ord246
ord225
ord213
ord205
ord215

comdlg32

CommDlgExtendedError
GetSaveFileNameW
GetOpenFileNameW

credui

CredUIParseUserNameW

ncrypt

BCryptVerifySignature
BCryptSignHash
BCryptEncrypt
BCryptDecrypt
BCryptSetProperty
NCryptDeriveKey
NCryptSecretAgreement
NCryptVerifySignature
NCryptSignHash
NCryptEncrypt
NCryptDecrypt
BCryptExportKey
NCryptFreeObject
NCryptGetProperty
NCryptCreatePersistedKey
NCryptOpenStorageProvider
NCryptEnumKeys
NCryptFreeBuffer
BCryptCloseAlgorithmProvider
BCryptDestroyHash
BCryptFinishHash
BCryptHashData
BCryptCreateHash
BCryptGetProperty
BCryptOpenAlgorithmProvider
BCryptFreeBuffer
BCryptEnumAlgorithms
NCryptEnumAlgorithms
NCryptEnumStorageProviders
NCryptIsKeyHandle
NCryptExportKey
NCryptImportKey
BCryptGenRandom
NCryptSetProperty
NCryptFinalizeKey
NCryptDeleteKey
NCryptOpenKey
BCryptDestroyKey

netutils

NetApiBufferFree

logoncli

DsGetDcNameW

samcli

NetUserModalsGet
NetLocalGroupAdd
NetLocalGroupAddMembers
NetLocalGroupDel

srvcli

NetShareDel
NetShareGetInfo
NetShareAdd

ntdll

RtlNtStatusToDosError
RtlInitUnicodeString
RtlFindMessage

setupapi

SetupGetLineCountW
SetupFindNextLine
SetupFindFirstLineW
SetupOpenInfFileW
SetupGetFieldCount
SetupGetIntField
SetupCloseInfFile
SetupGetStringFieldW

shell32

SHCreateItemFromParsingName

userenv

ord122
ord104

shlwapi

StrRStrIW

wldap32

ord142
ord26
ord203
ord155
ord79
ord140
ord208
ord13
ord12
ord147
ord210
ord36
ord224
ord41
ord18
ord16
ord167
ord127
ord65
ord122
ord120

dsrole

DsRoleGetPrimaryDomainInformation
DsRoleFreeMemory

advapi32

AddAccessDeniedAce
CryptDecrypt
CryptExportKey
RegSetKeySecurity
RegConnectRegistryW
CryptGetKeyParam
CryptEnumProvidersA
CryptGenKey
CryptGenRandom
CryptSignHashW
CryptVerifySignatureW
CryptGetUserKey
CryptImportKey
CryptDestroyKey
CryptGetDefaultProviderW
ConvertSidToStringSidW
LsaOpenPolicy
LsaQueryInformationPolicy
LsaFreeMemory
LsaClose
CryptCreateHash
CryptHashData
CryptGetHashParam
CryptDestroyHash
CopySid
OpenThreadToken
SetFileSecurityW
DeleteAce
SetSecurityDescriptorOwner
GetSecurityDescriptorLength
GetNamedSecurityInfoW
SetEntriesInAclW
SetNamedSecurityInfoW
LookupAccountNameW
LogonUserW
ConvertStringSidToSidW
AccessCheck
GetTokenInformation
EqualSid
GetSecurityDescriptorControl
MakeAbsoluteSD
AddAccessAllowedObjectAce
MakeSelfRelativeSD
GetSecurityDescriptorDacl
GetAclInformation
GetLengthSid
InitializeAcl
GetAce
AddAce
AddAccessAllowedAce
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
SetSecurityDescriptorControl
IsValidSecurityDescriptor
CryptSetProvParam
RegDeleteKeyW
CryptEnumProvidersW
CryptAcquireContextW
OpenProcessToken
DuplicateToken
CheckTokenMembership
AllocateAndInitializeSid
FreeSid
GetSidSubAuthorityCount
GetSidLengthRequired
GetSidIdentifierAuthority
InitializeSid
GetSidSubAuthority
CryptGetProvParam
CryptReleaseContext
RegQueryValueExW
QueryServiceConfigW
ChangeServiceConfigW
ChangeServiceConfig2W
ControlService
OpenSCManagerW
OpenServiceW
StartServiceW
QueryServiceStatus
CloseServiceHandle
RegEnumKeyExW
RegQueryInfoKeyW
RegSetValueExW
RegOpenKeyExW
RegCreateKeyExW
RegCloseKey
RegDeleteValueW
CryptEncrypt
RevertToSelf
ImpersonateSelf
LookupAccountSidW
CreateWellKnownSid
SetSecurityDescriptorSacl
GetSecurityDescriptorSacl
GetSecurityDescriptorOwner
SetSecurityDescriptorGroup
GetSecurityDescriptorGroup
LsaLookupNames2
AdjustTokenPrivileges
LookupPrivilegeValueW
AddAccessDeniedObjectAce
CryptContextAddRef
CryptDuplicateKey
CryptSetKeyParam
CryptSetHashParam
CryptDuplicateHash

crypt32

CertGetCRLContextProperty
CertCloseStore
CertFreeCertificateContext
CertSetCertificateContextProperty
CertDuplicateCertificateContext
CertEnumCertificatesInStore
CertOpenStore
CertFindCertificateInStore
CertDeleteCertificateFromStore
CryptFindOIDInfo
CertVerifySubjectCertificateContext
CryptExportPublicKeyInfo
CertFindExtension
CertGetPublicKeyLength
PFXIsPFXBlob
CertVerifyCertificateChainPolicy
CertNameToStrW
CertStrToNameW
CertEnumCertificateContextProperties
PFXImportCertStore
CryptFormatObject
CryptEnumOIDInfo
CryptAcquireCertificatePrivateKey
CryptInitOIDFunctionSet
CryptGetOIDFunctionAddress
CryptFreeOIDFunctionAddress
CryptImportPublicKeyInfo
CryptHashCertificate
CryptSignCertificate
CryptDecodeObjectEx
CryptEncodeObjectEx
CertCreateCertificateContext
CertAddCertificateContextToStore
CertCompareCertificateName
CertAddEncodedCertificateToStore
CertGetCertificateChain
CertFreeCertificateChain
CryptDecodeObject
CertComparePublicKeyInfo
CryptSignAndEncodeCertificate
CertGetCertificateContextProperty
CryptQueryObject

kernel32

RaiseException
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
lstrlenW
InterlockedIncrement
InterlockedDecrement
LoadLibraryW
GetProcAddress
GetModuleHandleW
lstrcmpiW
GetLastError
LocalFree
LocalAlloc
MoveFileW
GetModuleFileNameW
FreeLibrary
MultiByteToWideChar
SizeofResource
DeleteFileW
CloseHandle
LoadResource
DisableThreadLibraryCalls
SetThreadLocale
GetThreadLocale
GetFileAttributesW
GetSystemTimeAsFileTime
lstrcmpW
CompareFileTime
Sleep
CreateDirectoryW
GetSystemDirectoryW
SetEvent
OpenEventW
HeapAlloc
GetProcessHeap
HeapFree
GetLocaleInfoW
GetCurrentProcess
LocalReAlloc
SetLastError
GetVersionExW
GetComputerNameExW
GetWindowsDirectoryW
GetSystemWow64DirectoryW
GetExitCodeThread
WaitForSingleObject
CreateThread
FindClose
FindNextFileW
FindFirstFileW
WideCharToMultiByte
GetVersionExA
InterlockedExchange
CompareStringW
GetEnvironmentVariableW
InterlockedCompareExchange
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
TerminateProcess
UnhandledExceptionFilter
FindResourceW
LoadLibraryExW
SetUnhandledExceptionFilter
OutputDebugStringA
FormatMessageW
GetACP
SystemTimeToFileTime
FileTimeToSystemTime
GetFileType
GetStdHandle
GetLocalTime
GetCurrentThread
GetSystemTime
GetTempFileNameW
GetFullPathNameW
GetComputerNameW
MoveFileExW
RemoveDirectoryW
FoldStringW
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
LockResource
GetTimeFormatW
GetDateFormatW
FileTimeToLocalFileTime
WriteConsoleW
GetTempPathW
GetCommandLineW
CreateEventW
ResetEvent
WriteFile
CreateFileW
FindResourceExW
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
SearchPathW
lstrlenA

ole32

CoCreateInstanceEx
CLSIDFromProgID
CoSetProxyBlanket
StringFromCLSID
CoInitialize
CoInitializeEx
CoUninitialize
CoCreateInstance
StringFromGUID2
CoTaskMemFree
CoTaskMemRealloc
CLSIDFromString
CoTaskMemAlloc

oleaut32

SysStringByteLen
SafeArrayCreate
SafeArrayGetElement
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayGetDim
VarBstrCat
SysAllocStringLen
SafeArrayRedim
SysAllocStringByteLen
SetErrorInfo
CreateErrorInfo
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayPutElement
SysFreeString
SysStringLen
VariantClear
VarUI4FromStr
LoadRegTypeLi
LoadTypeLi
VariantInit
SysAllocString
UnRegisterTypeLi
RegisterTypeLi
SafeArrayDestroy
VariantCopyInd
VariantCopy

rpcrt4

UuidCreate

secur32

GetComputerObjectNameW

user32

SetFocus
CharLowerW
DialogBoxParamW
GetWindowTextW
SetWindowTextW
GetDlgItem
EndDialog
SetCursor
LoadCursorW
MessageBoxW
SendMessageW
LoadStringW
UnregisterClassA
CharNextW

wininet

InternetCanonicalizeUrlW

Exports

Exports

CESSetAppPoolCredentials
CertSrvSetupImportPFX
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
DoServerUpgrade
MscepSetupSetAccountInformation

Sections

.text
Size: 521KB - Virtual size: 520KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 22KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 30KB - Virtual size: 29KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

40a191f3dd2efec68e46d1acf63fe577

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

api-ms-win-security-lsalookup-l1-1-0

certcli

comdlg32

credui

ncrypt

netutils

logoncli

samcli

srvcli

ntdll

setupapi

shell32

userenv

shlwapi

wldap32

dsrole

advapi32

crypt32

kernel32

ole32

oleaut32

rpcrt4

secur32

user32

wininet

Exports

Exports

Sections

.text Size: 521KB - Virtual size: 520KB

.data Size: 7KB - Virtual size: 9KB

.rsrc Size: 22KB - Virtual size: 22KB

.reloc Size: 30KB - Virtual size: 29KB

.text
Size: 521KB - Virtual size: 520KB

.data
Size: 7KB - Virtual size: 9KB

.rsrc
Size: 22KB - Virtual size: 22KB

.reloc
Size: 30KB - Virtual size: 29KB