WSClient[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

WSClient.dll
Size

175KB
MD5

bea94d55754afc72a3e70aff4664d030
SHA1

1a71dd2e2f413a89d2f2c85352cf6324c90a5da2
SHA256

04b5f0980bf947c742ba1129c7ea574870b6f5efc788ff1dc59c5efafb7dbee0
SHA512

a200d724eea99a7d33a30a55958117fd8ebfd4e93babbe5476e9aff8cf4d924eb3bd36d989eb978c2452034c20ec0e804215066138bb1672f58c832b7b060123
SSDEEP

3072:cOvaP3+XjK/zQITZfHewJYzE26xRFd76wuPR9Rt7TO1RTo2O9stGH/HJI:cOiv/zQWfbCzQRFd76BnRNOvTA97H

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
WSClient.dll

Files

WSClient.dll
.dll windows:6 windows x86 arch:x86

4c41d916c7023c5b4877b05199537878

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

WSClient.pdb

Imports

msvcrt

fflush
malloc
_wtoi
_ultow_s
printf
wcsrchr
memcmp
_unlock
_onexit
__CxxFrameHandler3
_except_handler4_common
free
memset
memmove_s
wcsstr
wcschr
wprintf
wcsncmp
_wcsicmp
_XcptFilter
_amsg_exit
_lock
_initterm
__dllonexit
_iob
memmove
_vsnwprintf
_purecall
memcpy

api-ms-win-core-heap-l1-2-0

GetProcessHeap
HeapReAlloc
HeapAlloc
HeapFree

api-ms-win-core-libraryloader-l1-2-0

GetModuleFileNameW
LoadLibraryExW
GetProcAddress
GetModuleHandleExW
DisableThreadLibraryCalls
GetModuleHandleW
GetModuleHandleA
LockResource
LoadStringW
LoadResource
FindResourceExW
FreeLibrary

oleaut32

ord445
VariantInit
ord447
ord446
BSTR_UserSize
ord448
BSTR_UserFree
SysAllocString
BSTR_UserUnmarshal
BSTR_UserMarshal

rpcrt4

I_RpcMapWin32Status
I_RpcExceptionFilter
RpcBindingFree
RpcStringFreeW
RpcBindingSetAuthInfoExW
RpcBindingFromStringBindingW
CStdStubBuffer_Disconnect
CStdStubBuffer_DebugServerRelease
NdrClientCall2
IUnknown_AddRef_Proxy
CStdStubBuffer_QueryInterface
CStdStubBuffer_DebugServerQueryInterface
IUnknown_Release_Proxy
CStdStubBuffer_IsIIDSupported
CStdStubBuffer_Invoke
CStdStubBuffer_Connect
NdrCStdStubBuffer_Release
NdrDllCanUnloadNow
CStdStubBuffer_CountRefs
NdrDllGetClassObject
CStdStubBuffer_AddRef
IUnknown_QueryInterface_Proxy
NdrOleFree
NdrOleAllocate
RpcStringBindingComposeW

api-ms-win-eventing-provider-l1-1-0

EventUnregister
EventWrite
EventRegister

api-ms-win-core-synch-l1-2-0

ReleaseSRWLockExclusive
SetEvent
ResetEvent
AcquireSRWLockExclusive
CreateEventW
ReleaseSRWLockShared
Sleep
LeaveCriticalSection
AcquireSRWLockShared
DeleteCriticalSection
EnterCriticalSection
WaitForSingleObject
SleepEx
InitializeCriticalSection
WaitForMultipleObjectsEx

api-ms-win-core-errorhandling-l1-1-1

GetLastError
UnhandledExceptionFilter
RaiseException
SetUnhandledExceptionFilter
SetLastError

api-ms-win-core-util-l1-1-0

DecodePointer

api-ms-win-core-com-l1-1-1

CoInitializeEx
CoCreateInstance
StringFromGUID2
CoCreateGuid
CoUninitialize

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-processthreads-l1-1-2

GetCurrentProcessId
FlushInstructionCache
GetCurrentProcess
CreateThread
IsProcessorFeaturePresent
GetCurrentThreadId
TerminateProcess

api-ms-win-core-sysinfo-l1-2-1

GetTickCount64
GetTickCount
GetSystemTimeAsFileTime
GetSystemWindowsDirectoryW
GetLocalTime
GetProductInfo
GetVersionExW
GetComputerNameExW

api-ms-win-core-file-l1-2-1

UnlockFileEx
CreateFileW
GetVolumeNameForVolumeMountPointW
GetVolumePathNameW
WriteFile
LockFileEx
SetFilePointer
GetFileAttributesExW
DeleteFileW
ReadFile

api-ms-win-core-io-l1-1-1

DeviceIoControl

api-ms-win-core-string-l1-1-0

CompareStringOrdinal
WideCharToMultiByte
CompareStringW

api-ms-win-core-registry-l1-1-0

RegOpenKeyExW
RegGetValueW
RegQueryValueExW
RegCloseKey

api-ms-win-service-management-l1-1-0

CloseServiceHandle
StartServiceW
OpenSCManagerW
OpenServiceW

api-ms-win-service-winsvc-l1-2-0

ControlService

api-ms-win-service-management-l2-1-0

NotifyServiceStatusChangeW
QueryServiceStatusEx

api-ms-win-core-memory-l1-1-2

VirtualFree
VirtualQuery
VirtualAlloc

api-ms-win-core-debug-l1-1-1

OutputDebugStringA

api-ms-win-core-localization-l1-2-1

FormatMessageW
LCMapStringW

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime

api-ms-win-core-datetime-l1-1-1

GetDateFormatEx

api-ms-win-security-base-l1-2-0

CheckTokenMembership
FreeSid
AllocateAndInitializeSid

api-ms-win-core-winrt-l1-1-0

RoUninitialize
RoInitialize

api-ms-win-core-processenvironment-l1-2-0

ExpandEnvironmentStringsW

api-ms-win-core-interlocked-l1-2-0

InterlockedPopEntrySList
InterlockedPushEntrySList

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-wow64-l1-1-0

IsWow64Process

api-ms-win-core-heap-obsolete-l1-1-0

LocalAlloc
GlobalFree
LocalFree

api-ms-win-core-kernel32-legacy-l1-1-1

GetConsoleWindow
LoadLibraryW
LoadLibraryA
MulDiv

combase

ord3
ord4
ord2

gdi32

GetDeviceCaps

shell32

ShellExecuteW

wsshared

?GetDevLicenseInfoFromSqr@CWSSharedUtils@@SGJPAUHWND__@@PAXPAPAG2222@Z
?GetProxyCredentialsUsingSSPIPFC@CWSSharedUtils@@SGJPAUHWND__@@PBGKPAPAG2@Z
?GetBannedAppsListFromWeb@CWSSharedUtils@@SGJPAPAEPAI@Z
?SyncMachineLicenses@CWSSharedUtils@@SGJXZ

ntdll

NtQueryVolumeInformationFile
NtQueryInformationFile
RtlAdjustPrivilege
NtSetSystemInformation

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI
DelayLoadFailureHook

sppc

SLDepositStoreToken
SLClose
SLOpen

api-ms-win-core-shlwapi-obsolete-l1-1-0

StrStrIW

Exports

Exports

AcquireDeveloperLicense
CheckDeveloperLicense
DllCanUnloadNow
DllGetClassObject
GetApplicationURL
RefreshBannedAppsList
RemoveDeveloperLicense
WSCallServer
WSCheckForConsumable
WSEvaluatePackage
WSGetEvaluatePackageAttempted
WSLicenseCleanUpState
WSLicenseClose
WSLicenseFilterValidAppCategoryIds
WSLicenseGetAllUserTokens
WSLicenseGetAllValidAppCategoryIds
WSLicenseGetDevInstalledApps
WSLicenseGetExtendedUserInfo
WSLicenseGetFeatureLicenseResults
WSLicenseGetLicensesForProducts
WSLicenseGetOAuthServiceTicket
WSLicenseGetProductLicenseResults
WSLicenseInstallLicense
WSLicenseOpen
WSLicenseRefreshLicense
WSLicenseRetrieveMachineID
WSLicenseRevokeLicenses
WSLicenseSpecializeState
WSLicenseUninstallLicense
WSNotifyOOBECompletion
WSNotifyPackageInstalled
WSTriggerOOBEFileValidation
WSpTLRW
g_bPrintFromClientDLL

Sections

.text
Size: 150KB - Virtual size: 150KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.orpc
Size: 512B - Virtual size: 163B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

4c41d916c7023c5b4877b05199537878

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

api-ms-win-core-heap-l1-2-0

api-ms-win-core-libraryloader-l1-2-0

oleaut32

rpcrt4

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-util-l1-1-0

api-ms-win-core-com-l1-1-1

api-ms-win-core-handle-l1-1-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-file-l1-2-1

api-ms-win-core-io-l1-1-1

api-ms-win-core-string-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-service-management-l1-1-0

api-ms-win-service-winsvc-l1-2-0

api-ms-win-service-management-l2-1-0

api-ms-win-core-memory-l1-1-2

api-ms-win-core-debug-l1-1-1

api-ms-win-core-localization-l1-2-1

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-datetime-l1-1-1

api-ms-win-security-base-l1-2-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-processenvironment-l1-2-0

api-ms-win-core-interlocked-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-wow64-l1-1-0

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-1

combase

gdi32

shell32

wsshared

ntdll

api-ms-win-core-delayload-l1-1-1

sppc

api-ms-win-core-shlwapi-obsolete-l1-1-0

Exports

Exports

Sections

.text Size: 150KB - Virtual size: 150KB

.orpc Size: 512B - Virtual size: 163B

.data Size: 1024B - Virtual size: 2KB

.idata Size: 8KB - Virtual size: 7KB

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 12KB - Virtual size: 11KB

.text
Size: 150KB - Virtual size: 150KB

.orpc
Size: 512B - Virtual size: 163B

.data
Size: 1024B - Virtual size: 2KB

.idata
Size: 8KB - Virtual size: 7KB

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 12KB - Virtual size: 11KB