adhapi[.]dll | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

adhapi.dll
Size

22KB
MD5

7b11aca8bf3b44f0b4e49319d346f813
SHA1

e3aa37e48df5bb617c7e89c363b75cf337ea6b9a
SHA256

91844aee6f4267c3dcd695741297b3ac0b2e215a8ec8a50dfa08be5f11091df9
SHA512

db63345f82d1c048fc0be6431a341f7902c165927461997916d8f1f42912af79f7904713a3fa3bdac17cde753b06e1556c8f064cae372a9fe100a4b47e158fa1
SSDEEP

384:J7YqNY+bwx5C/s5UrMYYoVuSx12tmN9HNIcGAcYfGHWAMW:J7Yq/bwteMYYiuINzI2Gj

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
adhapi.dll

Files

adhapi.dll
.dll windows:6 windows x64 arch:x64

4395633ee36e69fc9a83734a84d0d64b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

AdhApi.pdb

Imports

msvcrt

_initterm
malloc
free
_amsg_exit
_XcptFilter
__C_specific_handler
memset

ntdll

RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
EtwUnregisterTraceGuids
EtwRegisterTraceGuidsW
EtwGetTraceEnableFlags
EtwGetTraceEnableLevel
EtwGetTraceLoggerHandle
EtwTraceMessage

rpcrt4

RpcAsyncCancelCall
RpcBindingSetAuthInfoExW
Ndr64AsyncClientCall
RpcBindingSetOption
RpcAsyncCompleteCall
RpcAsyncInitializeHandle
NdrClientCall3
RpcStringFreeW
RpcBindingFree
RpcStringBindingComposeW
RpcBindingFromStringBindingW

api-ms-win-core-libraryloader-l1-2-0

DisableThreadLibraryCalls

api-ms-win-security-base-l1-2-0

CreateWellKnownSid

api-ms-win-core-errorhandling-l1-1-1

SetUnhandledExceptionFilter
UnhandledExceptionFilter
SetLastError
GetLastError

api-ms-win-core-threadpool-l1-2-0

WaitForThreadpoolWaitCallbacks
CloseThreadpoolWait
SetThreadpoolWait
CreateThreadpoolWait

api-ms-win-core-synch-l1-2-0

Sleep
WaitForSingleObject
CreateEventW

api-ms-win-core-heap-l1-2-0

HeapFree
HeapAlloc
GetProcessHeap

api-ms-win-eventing-classicprovider-l1-1-0

TraceMessage

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-processthreads-l1-1-2

GetCurrentProcessId
TerminateProcess
GetCurrentProcess
GetCurrentThreadId

api-ms-win-core-sysinfo-l1-2-1

GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-security-lsalookup-l1-1-1

LookupAccountSidLocalW

Exports

Exports

AdhEngineClose
AdhEngineOpen
AdhGetConfig
AdhGetEvidenceCollectorResult
AdhStatusEventSubscribe
AdhStatusEventUnsubscribe
DllMain

Sections

.text
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 528B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 180B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

4395633ee36e69fc9a83734a84d0d64b

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

rpcrt4

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-security-base-l1-2-0

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-heap-l1-2-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-profile-l1-1-0

api-ms-win-security-lsalookup-l1-1-1

Exports

Exports

Sections

.text Size: 15KB - Virtual size: 14KB

.data Size: 512B - Virtual size: 1KB

.pdata Size: 1024B - Virtual size: 528B

.idata Size: 3KB - Virtual size: 2KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 180B

.text
Size: 15KB - Virtual size: 14KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 1024B - Virtual size: 528B

.idata
Size: 3KB - Virtual size: 2KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 180B