PhoneOm[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

PhoneOm.dll
Size

338KB
MD5

126eef8db28ba4aac05ee793485d5d59
SHA1

2fbc71a9365b32fb7ac0478b0b47c70c9c05f22f
SHA256

deabfbb82df043a86c5b295f09884ee1a1f9efd4187e63bfeeb2b97614cfd611
SHA512

58906cc7e21d129ba150f2b9cf77b0ad196129d2d9d0d1b4f031ca58802228686f7bdc896fffefdc0903839674f0f768eca2cd2fd5764f5400c9fe8a5788bd0e
SSDEEP

3072:tvsOOSRooNq799y4PL+NjNw6QL++xI8vHLW8nZQbfGq4qi1rp72vngL6IKWjtv4q:SoU8pYmsmezCW5v4PkFwKUHQ

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
PhoneOm.dll

Files

PhoneOm.dll
.dll windows:10 windows x86 arch:x86

3b32aad379e1a5f67f17476cf3f5ffd6

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

PhoneOm.pdb

Imports

msvcrt

_amsg_exit
memmove
memcpy_s
_callnewh
_vsnwprintf_s
_errno
wcsstr
_initterm
memcpy
_XcptFilter
_ftol2
_except_handler4_common
_vsnwprintf
wcsncpy_s
malloc
free
_purecall
toupper
wcstoul
wcschr
memcmp
realloc
_lock
_unlock
_onexit
__CxxFrameHandler3
memmove_s
__dllonexit
memset

phoneutil

CreateBrandingInfo
VoipAppIdentityUtilities_GetApplicationResourceResolverFromApplication
VoipAppIdentityUtilities_GetApplicationByAumid
GetRpcClientUser
Phone_FmtText_NonDialerFormat
MapPlusToDialingPrefix
GetCountryCodeFromOperatorNum

api-ms-win-core-threadpool-legacy-l1-1-0

UnregisterWaitEx

api-ms-win-core-kernel32-legacy-l1-1-0

RegisterWaitForSingleObject

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW

api-ms-win-core-heap-obsolete-l1-1-0

LocalFree
LocalAlloc

api-ms-win-core-url-l1-1-0

UrlEscapeW

oleaut32

VarUI4FromStr

api-ms-win-core-libraryloader-l1-2-0

FindResourceExW
LoadLibraryExW
GetModuleFileNameW
GetModuleFileNameA
FreeLibrary
GetModuleHandleW
DisableThreadLibraryCalls
GetModuleHandleExW
SizeofResource
GetProcAddress
LoadResource

api-ms-win-core-synch-l1-2-0

Sleep
InitOnceExecuteOnce

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateString
WindowsDuplicateString
WindowsCreateStringReference
WindowsDeleteString
WindowsStringHasEmbeddedNull
WindowsIsStringEmpty
WindowsGetStringRawBuffer

api-ms-win-core-synch-l1-1-0

OpenEventW
AcquireSRWLockShared
InitializeSRWLock
CreateSemaphoreExW
CreateMutexExW
DeleteCriticalSection
ReleaseMutex
ReleaseSemaphore
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
InitializeCriticalSectionEx
ReleaseSRWLockShared
SetEvent
CreateEventW
OpenSemaphoreW
EnterCriticalSection
InitializeCriticalSection
LeaveCriticalSection
WaitForSingleObject
WaitForSingleObjectEx

api-ms-win-core-com-l1-1-0

CoTaskMemFree
CoGetApartmentType
CoTaskMemAlloc
CoCreateInstance
CoDecrementMTAUsage
CoIncrementMTAUsage
CoReleaseMarshalData
StringFromGUID2
CoCreateFreeThreadedMarshaler
CreateStreamOnHGlobal
CoMarshalInterface
CoGetCallerTID
CoTaskMemRealloc

api-ms-win-core-registry-l1-1-0

RegCloseKey
RegQueryInfoKeyW
RegEnumKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
RegSetValueExW
RegQueryValueExW
RegCreateKeyExW
RegDeleteValueW
RegGetValueW

api-ms-win-eventing-provider-l1-1-0

EventSetInformation
EventProviderEnabled
EventWriteTransfer
EventRegister
EventUnregister

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-string-l2-1-0

CharNextW

api-ms-win-core-winrt-error-l1-1-0

RoTransformError
RoOriginateErrorW
RoOriginateError
GetRestrictedErrorInfo
SetRestrictedErrorInfo

api-ms-win-core-string-l1-1-0

MultiByteToWideChar

api-ms-win-core-errorhandling-l1-1-0

RaiseException
GetLastError
SetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter

rpcrt4

RpcBindingFromStringBindingW
RpcStringBindingComposeW
RpcBindingFree
NdrClientCall4
RpcBindingSetAuthInfoExW
RpcStringFreeW
RpcExceptionFilter

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-localization-l1-2-0

FormatMessageW
GetLocaleInfoW

api-ms-win-core-processthreads-l1-1-0

SetThreadToken
GetCurrentThreadId
OpenProcessToken
OpenThreadToken
GetCurrentThread
TerminateProcess
GetCurrentProcessId
GetCurrentProcess

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapAlloc
HeapFree

api-ms-win-core-debug-l1-1-0

OutputDebugStringA
OutputDebugStringW
DebugBreak
IsDebuggerPresent

api-ms-win-core-threadpool-l1-2-0

WaitForThreadpoolWorkCallbacks
CloseThreadpoolWork
CreateThreadpoolWait
SetThreadpoolWait
WaitForThreadpoolWaitCallbacks
SubmitThreadpoolWork
SetThreadpoolTimer
CloseThreadpoolWait
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
CreateThreadpoolWork
CreateThreadpoolTimer
FreeLibraryWhenCallbackReturns

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-file-l1-1-0

GetFileSizeEx
CompareFileTime
CreateFileW

api-ms-win-service-management-l1-1-0

CloseServiceHandle
OpenSCManagerW
OpenServiceW

api-ms-win-service-winsvc-l1-1-0

QueryServiceStatus

api-ms-win-security-base-l1-1-0

GetTokenInformation
RevertToSelf

api-ms-win-core-winrt-l1-1-0

RoInitialize
RoActivateInstance
RoGetActivationFactory
RoUninitialize

api-ms-win-core-winrt-error-l1-1-1

RoGetMatchingRestrictedErrorInfo
RoReportFailedDelegate
IsErrorPropagationEnabled

api-ms-win-core-processthreads-l1-1-1

OpenProcess

api-ms-win-core-com-l1-1-1

RoGetAgileReference

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

ntdll

NtQueryInformationToken
RtlInitUnicodeString
RtlAllocateHeap
RtlFreeHeap
RtlCompareUnicodeString
NtQueryWnfStateData
RtlGetDeviceFamilyInfoEnum
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlSubscribeWnfStateChangeNotification
RtlNtStatusToDosErrorNoTeb

combase

ord157
ord90

api-ms-win-security-accesshlpr-l1-1-0

FreeTransientObjectSecurityDescriptor
QueryTransientObjectSecurityDescriptor

api-ms-win-shcore-taskpool-l1-1-0

SHTaskPoolAllowThreadReuse
SHTaskPoolQueueTask

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Exports

Exports

CreatePhoneRpcClient
DTMFModeListener_CreateInstance
DllCanUnloadNow
DllGetActivationFactory
DllGetClassObject
GetBluetoothHandsFreeLineInfo
IsCallOriginManagerSupported
PhoneAPIInitialize
PhoneAPIUninitialize
PhoneAcceptIncoming
PhoneAcceptIncomingEx
PhoneAcceptUpgradingRealTimeTextCall
PhoneAcceptVideo
PhoneActivateVisualVoicemail
PhoneAddListener
PhoneAddVideo
PhoneCallCapabilityAccessCheck
PhoneCallVoicemail
PhoneCancelNonSeamlessUpgrade
PhoneClearIdleCallsFromController
PhoneConference
PhoneConfirmNonSeamlessUpgrade
PhoneDeactivateVisualVoicemail
PhoneDial
PhoneDowngradeFromRealTimeTextCall
PhoneDropAccept
PhoneDropAcceptEx
PhoneDropVideo
PhoneEnableBluetoothHandsFree
PhoneEnd
PhoneExecutePendingDtmfWait
PhoneExitEmergencyMode
PhoneExplicitCallTransfer
PhoneFinishRecording
PhoneFlash
PhoneFormatPhoneNumber
PhoneFreeCallInfo
PhoneFreeRecordingApplicationList
PhoneGetActiveAppByType
PhoneGetActiveSpamFilterApp
PhoneGetAggregateBranding
PhoneGetAppListByType
PhoneGetAssistedDialNumber
PhoneGetAssistedDialSetting
PhoneGetAvailableActions
PhoneGetBlockPrivateNumbersSetting
PhoneGetBlockUnknownNumbersSetting
PhoneGetBluetoothHandsFreeState
PhoneGetBrandingText
PhoneGetCallCounts
PhoneGetCallInfo
PhoneGetCallState
PhoneGetCallsInConference
PhoneGetCellularApiComponentInfo
PhoneGetContactPictureHandle
PhoneGetDefaultOutgoingLine
PhoneGetDeviceRealTimeTextAutomaticEnabled
PhoneGetDeviceRealTimeTextEnabled
PhoneGetDeviceSupportsVideoCalling
PhoneGetElapsedTime
PhoneGetLinePublicInfo
PhoneGetLinePublicSettings
PhoneGetLines
PhoneGetLinesEx
PhoneGetMute
PhoneGetNetworkAlert
PhoneGetPreferredCallUpgradeLine
PhoneGetProviderLineInfo
PhoneGetProviderLineLockInfo
PhoneGetProviderLineServiceInfo
PhoneGetProviderLineVvmConnectivityState
PhoneGetRecordingApplications
PhoneGetShouldMuteKeypad
PhoneGetSpeaker
PhoneGetState
PhoneGetVideoCapabilities
PhoneGetVideoCapabilitySharingSettings
PhoneGetVisualVoicemailAccessor
PhoneGetVisualVoicemailBranding
PhoneGetVoicemailNumberAndOverrideInfo
PhoneGetWiredHeadsetState
PhoneHandleAppUninstallByType
PhoneInitiateCallUpgrade
PhoneInitiateRetrievalOfCIDRestrictionSupport
PhoneIsActionAvailable
PhoneIsDtmfWaitPending
PhoneIsEmergencyNumber
PhoneIsImmediateDialString
PhoneIsPhoneNumberInBlockList
PhoneIsVideoCallingEnabled
PhoneIsVideoCallingSwitchActionable
PhoneIsVoiceRoamingRestrictionActive
PhoneIsVvmSetupComplete
PhoneLineAddCapabilities
PhoneLineRemoveCapabilities
PhoneMapIddPrefixToPlus
PhoneMapPlusToDialingPrefix
PhoneMarkDataAffinityNotificationSeen
PhoneMarkVvmSetupComplete
PhoneModifyCallForwarding
PhoneModifyCallerIdSetting
PhoneModifyVideoCallingSetting
PhoneModifyVoicemailAddress
PhoneNotificationHelper_CreateInstance
PhonePauseRecording
PhonePrivate
PhonePublicDial
PhoneRefreshCallForwardingState
PhoneRefreshEcbmState
PhoneRefreshVideoCallingSetting
PhoneRejectIncoming
PhoneRejectIncomingForTextReply
PhoneRejectVideo
PhoneRemoveListener
PhoneSaveVvmPassword
PhoneSendDTMF
PhoneSendDTMFStart
PhoneSendDTMFStop
PhoneSendRealTimeTextData
PhoneSetActiveAppByType
PhoneSetActiveSpamFilterApp
PhoneSetBlockPrivateNumbersSetting
PhoneSetBlockUnknownNumbersSetting
PhoneSetBluetoothHfpCallAudioTransfer
PhoneSetCallOriginInfo
PhoneSetCallerAsActiveAppByType
PhoneSetFilterAppBlockList
PhoneSetForegroundLine
PhoneSetHold
PhoneSetLocalVideo
PhoneSetMute
PhoneSetPreferredCallUpgradeLine
PhoneSetRecordingApplication
PhoneSetReminderInfo
PhoneSetSpeaker
PhoneSetVideoCapabilitySharingSettings
PhoneSetVideoPaused
PhoneSpamFilteringEnabled
PhoneStartRecording
PhoneStartVisualVoicemailSync
PhoneSupportsLocalVvmConfig
PhoneSwap
PhoneUpgradeToRealTimeTextCall
PhoneWaitForAPIReady
RetrieveSystemNotificationCallbackPayload
ShouldPlayCallWaitingTone

Sections

.text
Size: 306KB - Virtual size: 306KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

3b32aad379e1a5f67f17476cf3f5ffd6

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

phoneutil

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-url-l1-1-0

oleaut32

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

rpcrt4

api-ms-win-core-handle-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-service-management-l1-1-0

api-ms-win-service-winsvc-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-com-l1-1-1

api-ms-win-core-profile-l1-1-0

ntdll

combase

api-ms-win-security-accesshlpr-l1-1-0

api-ms-win-shcore-taskpool-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Exports

Exports

Sections

.text Size: 306KB - Virtual size: 306KB

.data Size: 512B - Virtual size: 2KB

.idata Size: 8KB - Virtual size: 8KB

.didat Size: 512B - Virtual size: 32B

.rsrc Size: 1024B - Virtual size: 1008B

.reloc Size: 20KB - Virtual size: 20KB

.text
Size: 306KB - Virtual size: 306KB

.data
Size: 512B - Virtual size: 2KB

.idata
Size: 8KB - Virtual size: 8KB

.didat
Size: 512B - Virtual size: 32B

.rsrc
Size: 1024B - Virtual size: 1008B

.reloc
Size: 20KB - Virtual size: 20KB