clbcatq[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

clbcatq.dll
Size

713KB
MD5

65dc3a5c5c30a64febf803ebcdc7cdcd
SHA1

f17bdceda4199e38395099f457a6e6abc5422767
SHA256

3ff2313b1ca561a6ea4e189893c6bcb49b9cc3349cc07768b7bb13d13fdedb06
SHA512

c55ea4dfd8acbecb2f3e9aa8f1fe0cf41a8267fdfb51ec3c06b68155f9c3e9187eb7c7c79147b25eaa0c1961a56805b2543e59299fe0d010af8147fa71ade776
SSDEEP

12288:JpxcbEeex4j3C4Dnwnedb8pmHWWg7lIGuysa:7u4x4mUwedopmHYcysa

Score

1^/10

Malware Config

Signatures

Files

clbcatq.dll
.dll regsvr32 windows:6 windows x64 arch:x64

09184eb983c7c56e18e36a2b202005c9

Code Sign

33:00:00:00:4e:a1:d8:07:70:a9:bb:e9:44:00:00:00:00:00:4e
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

01/07/2014, 20:32

Not After

01/10/2015, 20:32

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

40:e0:9f:7e:1f:b6:4a:6d:0e:8c:ae:66:80:94:b0:bf:b6:8f:1c:36:37:de:d5:14:41:c9:5f:53:b9:f9:fa:f2
Signer

Actual PE Digest

40:e0:9f:7e:1f:b6:4a:6d:0e:8c:ae:66:80:94:b0:bf:b6:8f:1c:36:37:de:d5:14:41:c9:5f:53:b9:f9:fa:f2

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

CLBCatQ.pdb

Imports

msvcrt

_XcptFilter
_vsnprintf
_amsg_exit
_initterm
__C_specific_handler
?terminate@@YAXXZ
_lock
_unlock
__dllonexit
_onexit
_wmakepath_s
memset
??1type_info@@UEAA@XZ
_wstrdate
_wstrtime
_ltow
_wtol
wcstombs
mbstowcs
wcschr
towupper
wcsstr
_wcslwr
wcstol
_stricmp
realloc
malloc
memmove
_wsplitpath_s
_wcsnicmp
wcsncmp
memcpy
memcmp
_local_unwind
free
__CxxFrameHandler3
_i64tow
_purecall
qsort
wcsrchr
_vsnwprintf
_wcsicmp
_waccess
wcscmp

ntdll

RtlAllocateHeap
RtlFreeHeap
NtOpenEvent
NtQueryEvent
RtlInitUnicodeString
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
NtQueryInformationProcess
WinSqmSetDWORD
RtlImageNtHeader

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-synch-l1-2-0

Sleep
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
WaitForSingleObject
InitializeCriticalSectionAndSpinCount
InitOnceExecuteOnce

api-ms-win-core-registry-l1-1-0

RegDeleteKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegQueryValueExW
RegCloseKey
RegDeleteTreeW
RegQueryInfoKeyW
RegDeleteValueW
RegEnumValueW
RegSetValueExW
RegFlushKey
RegEnumKeyExW

api-ms-win-core-errorhandling-l1-1-1

UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetLastError

api-ms-win-core-libraryloader-l1-2-0

GetModuleFileNameW
DisableThreadLibraryCalls
LockResource
LoadResource
LoadLibraryExW
GetProcAddress
FreeLibrary
FindResourceExW
LoadStringW
GetModuleHandleW

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceEnableFlags
GetTraceEnableLevel
TraceMessage
RegisterTraceGuidsW
GetTraceLoggerHandle
UnregisterTraceGuids

api-ms-win-core-processthreads-l1-1-2

GetExitCodeProcess
CreateProcessAsUserW
SetThreadToken
GetCurrentProcessId
GetCurrentThread
CreateProcessW
TerminateProcess
OpenThreadToken
GetCurrentProcess
SetThreadStackGuarantee
GetCurrentThreadId
GetThreadContext
OpenProcessToken

api-ms-win-security-base-l1-2-0

InitializeAcl
GetLengthSid
GetSecurityDescriptorDacl
GetSecurityDescriptorLength
AddAccessAllowedAce
AddAccessDeniedAce
InitializeSecurityDescriptor
GetAclInformation
SetSecurityDescriptorDacl
SetSecurityDescriptorOwner
SetSecurityDescriptorGroup
DuplicateTokenEx
GetTokenInformation

api-ms-win-core-processenvironment-l1-2-0

GetCurrentDirectoryW
ExpandEnvironmentStringsW

api-ms-win-core-sysinfo-l1-2-1

GetSystemInfo
GetSystemDirectoryW
GetTickCount
GlobalMemoryStatusEx
GetVersionExW
GetSystemTimeAsFileTime
GetLocalTime

api-ms-win-core-localization-l1-2-1

FormatMessageW
GetSystemDefaultLCID
IsDBCSLeadByte

api-ms-win-core-memory-l1-1-2

UnmapViewOfFile
CreateFileMappingW
MapViewOfFile
VirtualProtect
VirtualAlloc
VirtualFree
VirtualQuery
OpenFileMappingW

api-ms-win-core-file-l1-2-1

ReadFile
GetFileSizeEx
GetFileType
FlushFileBuffers
CreateFileW
SetFilePointer
FindClose
FindNextFileW
DeleteFileW
CreateDirectoryW
WriteFile
FindFirstFileW
GetLongPathNameW
GetTempPathW
GetFileAttributesW
SetEndOfFile
SetFileAttributesW
GetTempFileNameW

api-ms-win-core-file-l2-1-1

MoveFileWithProgressW
MoveFileExW

api-ms-win-core-string-l1-1-0

CompareStringW
MultiByteToWideChar
WideCharToMultiByte

api-ms-win-core-string-l2-1-0

CharLowerW
CharNextW

api-ms-win-core-heap-l1-2-0

GetProcessHeap
HeapFree
HeapAlloc

api-ms-win-core-debug-l1-1-1

OutputDebugStringW
DebugBreak
IsDebuggerPresent

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-heap-obsolete-l1-1-0

LocalAlloc
LocalFree

api-ms-win-core-string-obsolete-l1-1-0

lstrlenW
lstrlenA

api-ms-win-core-localization-obsolete-l1-2-0

CompareStringA

api-ms-win-security-base-private-l1-1-1

MakeAbsoluteSD2

kernel32

GetSystemWow64DirectoryW
GetComputerNameW

rpcrt4

UuidFromStringW

api-ms-win-core-version-l1-1-0

VerQueryValueW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI
DelayLoadFailureHook

Exports

Exports

ActivatorUpdateForIsRouterChanges
CLSIDFromStringByBitness
CheckMemoryGates
CoRegCleanup
ComPlusEnablePartitions
ComPlusEnableRemoteAccess
ComPlusMigrate
ComPlusPartitionsEnabled
ComPlusRemoteAccessEnabled
CreateComponentLibraryEx
DeleteAllActivatorsForClsid
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
DowngradeAPL
GetCatalogObject
GetCatalogObject2
GetComputerObject
GetGlobalBabyJITEnabled
GetSimpleTableDispenser
InprocServer32FromString
OpenComponentLibraryEx
OpenComponentLibraryOnMemEx
OpenComponentLibraryOnStreamEx
ServerGetApplicationType
SetSetupOpen
SetSetupSave
SetupOpen
SetupSave
UpdateFromAppChange
UpdateFromComponentChange

Sections

.text
Size: 641KB - Virtual size: 641KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 408B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

09184eb983c7c56e18e36a2b202005c9

Code Sign

33:00:00:00:4e:a1:d8:07:70:a9:bb:e9:44:00:00:00:00:00:4eCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

40:e0:9f:7e:1f:b6:4a:6d:0e:8c:ae:66:80:94:b0:bf:b6:8f:1c:36:37:de:d5:14:41:c9:5f:53:b9:f9:fa:f2Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

api-ms-win-core-handle-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-security-base-l1-2-0

api-ms-win-core-processenvironment-l1-2-0

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-localization-l1-2-1

api-ms-win-core-memory-l1-1-2

api-ms-win-core-file-l1-2-1

api-ms-win-core-file-l2-1-1

api-ms-win-core-string-l1-1-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-heap-l1-2-0

api-ms-win-core-debug-l1-1-1

api-ms-win-core-profile-l1-1-0

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-localization-obsolete-l1-2-0

api-ms-win-security-base-private-l1-1-1

kernel32

rpcrt4

api-ms-win-core-version-l1-1-0

api-ms-win-core-delayload-l1-1-1

Exports

Exports

Sections

.text Size: 641KB - Virtual size: 641KB

.data Size: 12KB - Virtual size: 20KB

.pdata Size: 20KB - Virtual size: 20KB

.idata Size: 8KB - Virtual size: 8KB

.didat Size: 512B - Virtual size: 408B

.rsrc Size: 7KB - Virtual size: 7KB

.reloc Size: 7KB - Virtual size: 7KB

33:00:00:00:4e:a1:d8:07:70:a9:bb:e9:44:00:00:00:00:00:4e
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

40:e0:9f:7e:1f:b6:4a:6d:0e:8c:ae:66:80:94:b0:bf:b6:8f:1c:36:37:de:d5:14:41:c9:5f:53:b9:f9:fa:f2
Signer

.text
Size: 641KB - Virtual size: 641KB

.data
Size: 12KB - Virtual size: 20KB

.pdata
Size: 20KB - Virtual size: 20KB

.idata
Size: 8KB - Virtual size: 8KB

.didat
Size: 512B - Virtual size: 408B

.rsrc
Size: 7KB - Virtual size: 7KB

.reloc
Size: 7KB - Virtual size: 7KB