catsrv[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

catsrv.dll
Size

477KB
MD5

3ad61e079512eef84aaffd32bcbdd2ed
SHA1

dfb9c7a5ef57b48dfa5a26545026ae79d3fa3dc8
SHA256

95dd9ab6826e9f1c21eb0131250eea9c946cdfc88cec96219402e91f81a06670
SHA512

9f50ee0aa23a2bbc859d11e7dc65b4bd9e192529af2ae2255c509a3b7c498220a17f20ab71bf66e3af87a9cce1c8ac90a07aee18db4fb601496298ec065cfdf0
SSDEEP

6144:9qZVLYknlfWEwsYqYAoc7x3U1HLRbz78PFbP+uJN4+JLZPAufLsC3kn9xLZB6F/t:gaknlfw3Ak1HLxkNTr4+T9fLp09+z0

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
catsrv.dll

Files

catsrv.dll
.dll regsvr32 windows:6 windows x64 arch:x64

b72f041c402b85c2ac675be564c19e95

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

catsrv.pdb

Imports

msvcrt

__dllonexit
_unlock
_lock
__C_specific_handler
_initterm
memset
_amsg_exit
_XcptFilter
memcpy
memcmp
_local_unwind
__CxxFrameHandler3
swscanf
_i64tow
iswdigit
_wcsnicmp
wcschr
wcsspn
free
_itow
wcsrchr
wcstok
wcstol
_errno
_wrename
_vsnwprintf
_beginthreadex
_wcsicmp
_purecall
wcscpy_s
realloc
wcscat_s
malloc
_onexit
_wstrtime
_waccess
_wstrdate
_vsnprintf
_wcsdup
wcstoul
_wtoi
wcscmp

clbcatq

OpenComponentLibraryEx
SetupSave
SetupOpen
CreateComponentLibraryEx
GetSimpleTableDispenser
CLSIDFromStringByBitness
ServerGetApplicationType
ComPlusPartitionsEnabled
DowngradeAPL

mfcsubs

?FreeDataChain@CPlex@@QEAAXXZ
?Right@CString@@QEBA?AV1@H@Z
??0CString@@QEAA@PEBG@Z
??0CString@@QEAA@GH@Z
??H@YA?AVCString@@AEBV0@0@Z
?Find@CString@@QEBAHPEBG@Z
?Create@CPlex@@SAPEAU1@AEAPEAU1@II@Z
??YCString@@QEAAAEBV0@PEBG@Z
??$ConstructElements@VCString@@@@YAXPEAVCString@@H@Z
?Mid@CString@@QEBA?AV1@H@Z
?Left@CString@@QEBA?AV1@H@Z
??H@YA?AVCString@@AEBV0@PEBG@Z
??0CString@@QEAA@AEBV0@@Z
??H@YA?AVCString@@PEBGAEBV0@@Z
??4CString@@QEAAAEBV0@AEBV0@@Z
?MakeUpper@CString@@QEAAXXZ
??0CString@@QEAA@PEBD@Z
??$DestructElements@VCString@@@@YAXPEAVCString@@H@Z
??1CString@@QEAA@XZ
??4CString@@QEAAAEBV0@PEBG@Z
??0CString@@QEAA@XZ
?ReverseFind@CString@@QEBAHG@Z

ntdll

RtlImageRvaToVa
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
WinSqmSetDWORD
DbgUserBreakPoint

oleaut32

LoadTypeLibEx
SysFreeString
QueryPathOfRegTypeLi
VarUI4FromStr
RegisterTypeLi
SysStringLen
SysAllocString
LoadTypeLi
LoadRegTypeLi

api-ms-win-core-synch-l1-2-0

InitializeCriticalSectionAndSpinCount
CreateSemaphoreExW
ReleaseSemaphore
EnterCriticalSection
ResetEvent
OpenMutexW
LeaveCriticalSection
Sleep
WaitForSingleObject
SetEvent
InitializeCriticalSection
ReleaseMutex
CreateEventW
DeleteCriticalSection

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-core-libraryloader-l1-2-0

DisableThreadLibraryCalls
GetModuleHandleW
GetModuleFileNameW
FindResourceExW
GetProcAddress
FreeLibrary
LoadResource
SizeofResource
FreeLibraryAndExitThread
LockResource
LoadStringW
LoadLibraryExW

api-ms-win-core-string-l2-1-0

CharPrevW
IsCharAlphaNumericW
CharLowerW
CharNextW

api-ms-win-core-errorhandling-l1-1-1

SetUnhandledExceptionFilter
GetLastError
UnhandledExceptionFilter

api-ms-win-core-registry-l1-1-0

RegFlushKey
RegDeleteTreeW
RegEnumKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumValueW
RegSetValueExW
RegCreateKeyExW
RegQueryValueExW
RegDeleteValueW
RegCloseKey

api-ms-win-core-sysinfo-l1-2-1

GetVersionExW
GetSystemInfo
GetSystemDirectoryW
GetSystemTimeAsFileTime
GetTickCount
GetLocalTime

api-ms-win-core-memory-l1-1-2

UnmapViewOfFile
MapViewOfFile
OpenFileMappingW
CreateFileMappingW
VirtualAlloc
VirtualProtect
VirtualQuery

api-ms-win-core-string-l1-1-0

CompareStringW
WideCharToMultiByte
MultiByteToWideChar

api-ms-win-core-heap-l1-2-0

HeapDestroy

api-ms-win-core-processthreads-l1-1-2

GetCurrentProcess
GetThreadContext
CreateProcessW
TerminateProcess
CreateProcessAsUserW
GetExitCodeProcess
GetCurrentThread
GetCurrentProcessId
SetThreadToken
OpenProcessToken
GetCurrentThreadId
OpenThreadToken

api-ms-win-core-localization-l1-2-1

GetThreadLocale
SetThreadLocale
FormatMessageW
GetUserDefaultLangID
GetSystemDefaultLCID
IsValidLocale

api-ms-win-core-debug-l1-1-1

OutputDebugStringW
DebugBreak
IsDebuggerPresent

api-ms-win-core-file-l1-2-1

FindFirstFileW
DeleteFileW
FindClose
GetLongPathNameW
GetShortPathNameW
GetFileAttributesW
GetTempPathW
GetFileSize
CreateFileW
SetFilePointer
WriteFile
GetFileSizeEx
RemoveDirectoryW
CreateDirectoryW
GetFileType
GetFullPathNameW
ReadFile
SetFileAttributesW
SetFileTime
FileTimeToLocalFileTime
GetFileAttributesExW
GetTempFileNameW
FindNextFileW

api-ms-win-core-file-l2-1-1

MoveFileExW

api-ms-win-security-base-l1-2-0

AddAce
CheckTokenMembership
GetSidLengthRequired
DestroyPrivateObjectSecurity
CreatePrivateObjectSecurityEx
IsValidSecurityDescriptor
IsWellKnownSid
FreeSid
CopySid
GetSidSubAuthorityCount
GetSidSubAuthority
AllocateAndInitializeSid
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
InitializeAcl
DuplicateTokenEx
GetSecurityDescriptorLength
GetTokenInformation
RevertToSelf
GetLengthSid
AddAccessAllowedAce
GetSecurityDescriptorDacl

api-ms-win-core-processenvironment-l1-2-0

ExpandEnvironmentStringsW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-version-l1-1-0

VerQueryValueW

api-ms-win-core-string-obsolete-l1-1-0

lstrcpynW
lstrcmpiW
lstrlenW
lstrcpyW

api-ms-win-core-heap-obsolete-l1-1-0

LocalFree
LocalReAlloc
LocalAlloc
LocalSize

api-ms-win-core-privateprofile-l1-1-1

WritePrivateProfileStringW
GetPrivateProfileStringW

api-ms-win-core-com-private-l1-1-0

CoGetModuleType

kernel32

LoadLibraryW
CopyFileW
GetSystemWow64DirectoryW
MoveFileW
DosDateTimeToFileTime
FileTimeToDosDateTime
GetComputerNameW

api-ms-win-core-shlwapi-legacy-l1-1-0

PathStripPathW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI
DelayLoadFailureHook

Exports

Exports

?CancelWriteICR@@YAJPEAPEAUIComponentRecords@@@Z
?GetReadICR@@YAJHPEAPEAUIComponentRecords@@@Z
?GetWriteICR@@YAJPEAPEAUIComponentRecords@@@Z
?ReleaseReadICR@@YAXPEAPEAUIComponentRecords@@@Z
?SaveWriteICR@@YAJPEAPEAUIComponentRecords@@@Z
CreateComponentLibraryTS
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
GetAppImport
GetCatalogCRMClerk
OpenComponentLibraryTS

Sections

.text
Size: 451KB - Virtual size: 451KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1024B - Virtual size: 864B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b72f041c402b85c2ac675be564c19e95

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

clbcatq

mfcsubs

ntdll

oleaut32

api-ms-win-core-synch-l1-2-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-registry-l1-1-0

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-memory-l1-1-2

api-ms-win-core-string-l1-1-0

api-ms-win-core-heap-l1-2-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-localization-l1-2-1

api-ms-win-core-debug-l1-1-1

api-ms-win-core-file-l1-2-1

api-ms-win-core-file-l2-1-1

api-ms-win-security-base-l1-2-0

api-ms-win-core-processenvironment-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-version-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-privateprofile-l1-1-1

api-ms-win-core-com-private-l1-1-0

kernel32

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-core-delayload-l1-1-1

Exports

Exports

Sections

.text Size: 451KB - Virtual size: 451KB

.data Size: 1024B - Virtual size: 13KB

.pdata Size: 9KB - Virtual size: 8KB

.idata Size: 10KB - Virtual size: 10KB

.didat Size: 1024B - Virtual size: 864B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 1KB - Virtual size: 1KB

.text
Size: 451KB - Virtual size: 451KB

.data
Size: 1024B - Virtual size: 13KB

.pdata
Size: 9KB - Virtual size: 8KB

.idata
Size: 10KB - Virtual size: 10KB

.didat
Size: 1024B - Virtual size: 864B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 1KB - Virtual size: 1KB