D2Launch[.]dll

Sharing

Copy URL

Twitter E-mail

General

Target

D2Launch.dll
Size

164KB
MD5

bdea26a7dd7b90d183488122a02bdd53
SHA1

9d9369b33ad7d751f3af28eafb23a623deb242fe
SHA256

4dd5eda8b748443a7fdb34051f72f1fdb3d1d1b90ed19ff4b841837cbd72e5c1
SHA512

e42151901e1a21fc1fbba37a2f8374be1af59d31128e2c41cdd1edeb988d4a60aa2547daeec1fb0753d0d222c58ee7a2d6724b8590f7679d0d618ba660f8fe26
SSDEEP

3072:XCOP013pKY3IB1emSrt8/RsN3jMpw6ABGgNMxJxc/NfUnVs8Rid6BViNrCrl0gT0:XpM9pIgUnVdRi+V6qTV

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
D2Launch.dll

Files

D2Launch.dll
.dll windows:4 windows x86 arch:x86

b3e950ecb87461dfd765dc122d13471a

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

C:\projects\diablo2\trunk\Diablo2\Builder\PDB\D2Launch.pdb

Imports

kernel32

GetFileSize
Sleep
GetDiskFreeSpaceA
ExitProcess
GetModuleHandleA
GetSystemTimeAsFileTime
WaitForSingleObject
GetCommandLineA
GetVersionExA
DeleteCriticalSection
LeaveCriticalSection
LCMapStringW
LCMapStringA
GetStringTypeW
GetStringTypeA
GetLocaleInfoA
SetEndOfFile
GetCurrentProcessId
QueryPerformanceCounter
GetCPInfo
GetOEMCP
GetACP
GetSystemInfo
VirtualProtect
MultiByteToWideChar
FlushFileBuffers
VirtualAlloc
SetStdHandle
CreateFileA
FindClose
GetTickCount
DeleteFileA
FindNextFileA
FindFirstFileA
GetFileAttributesA
OutputDebugStringA
LoadLibraryA
GetProcAddress
GetLastError
TerminateProcess
GetCurrentThreadId
VirtualQuery
InterlockedExchange
HeapSize
HeapReAlloc
RtlUnwind
InitializeCriticalSection
SetFilePointer
WriteFile
UnhandledExceptionFilter
VirtualFree
HeapCreate
HeapDestroy
GetEnvironmentStringsW
WideCharToMultiByte
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
GetModuleFileNameA
GetStartupInfoA
GetFileType
GetStdHandle
SetHandleCount
HeapAlloc
TlsGetValue
TlsSetValue
TlsFree
SetLastError
TlsAlloc
CloseHandle
HeapFree
ReadFile
EnterCriticalSection
GetCurrentProcess

user32

wsprintfA
TranslateMessage
PeekMessageA
GetCursorPos
DispatchMessageA
MessageBoxA

storm

ord494
ord268
ord582
ord253
ord423
ord401
ord403
ord426
ord501
ord508
ord502
ord578
ord422
ord509
ord491
ord425
ord571
ord506
ord503

fog

gdwBitMasks
ord10111
ord10109
ord10110
ord10086
ord10107
gdwInvBitMasks
ord10112
ord10229
ord10114
ord10265
ord10024
ord10233
ord10042
ord10043
ord10085
ord10227
ord10013
ord10191
ord10015
ord10104
ord10102
ord10029
ord10105
ord10103
ord10115
ord10108

d2win

ord10186
ord10013
ord10068
ord10099
ord10047
ord10159
ord10053
ord10095
ord10111
ord10164
ord10023
ord10034
ord10149
ord10056
ord10093
ord10123
ord10088
ord10020
ord10145
ord10117
ord10072
ord10153
ord10122
ord10014
ord10079
ord10116
ord10085
ord10171
ord10169
ord10037
ord10048
ord10150
ord10189
ord10087
ord10141
ord10036
ord10197
ord10101
ord10157
ord10142
ord10090
ord10021
ord10184
ord10143
ord10039
ord10086
ord10098
ord10190
ord10017
ord10043
ord10065
ord10135
ord10008
ord10052
ord10003
ord10185
ord10075
ord10089
ord10044
ord10064
ord10160
ord10120
ord10118
ord10032
ord10113
ord10030
ord10167
ord10109
ord10108
ord10051
ord10082
ord10110
ord10070
ord10049
ord10115
ord10112
ord10038
ord10131
ord10139
ord10175
ord10132

d2sound

ord10016
ord10021
ord10009
ord10001
ord10058
ord10027
ord10037
ord10069
ord10034
ord10056
ord10003

d2net

ord10027
ord10034
ord10000
ord10036

d2mcpclient

ord10025
ord10054
ord10015
ord10024
ord10029
ord10014
ord10044
ord10055
ord10033
ord10050
ord10026
ord10056
ord10057
ord10051
ord10000
ord10060
ord10003
ord10010
ord10059
ord10017
ord10006

d2lang

?isAlpha@Unicode@@QBEHXZ
?isLineBreak@Unicode@@SIHPBU1@I@Z
?toUnicode@Unicode@@SIPAU1@PAU1@PBDH@Z
?stricmp@Unicode@@SIHPBU1@0@Z
?_toUpperTable@Unicode@@0PAGA
ord10008
ord10000
ord10009
?strlen@Unicode@@SIHPBU1@@Z
ord10001
?toUtf@Unicode@@SIPADPADPBU1@H@Z
?unicode2Win@Unicode@@SIPADPADPBU1@H@Z
?strcat@Unicode@@SIPAU1@PAU1@PBU1@@Z
?strcpy@Unicode@@SIPAU1@PAU1@PBU1@@Z
?strcmp@Unicode@@SIHPBU1@0@Z
?sprintf@Unicode@@SAXHPAU1@PBU1@ZZ
??_FUnicode@@QAEXXZ
ord10004
?utf8ToUnicode@Unicode@@SIPAU1@PAU1@PBDH@Z
?win2Unicode@Unicode@@SIPAU1@PAU1@PBDH@Z
?strncpy@Unicode@@SIPAU1@PAU1@PBU1@H@Z

d2gfx

ord10025
ord10004

bnclient

?SetCurGateway@BNGatewayAccess@@QAGXH@Z
?Name@BNGatewayAccess@@QAGPADH@Z
?Realm@BNGatewayAccess@@QAGPADH@Z
?SaveAndUnload@BNGatewayAccess@@QAGXXZ

Exports

Exports

QueryInterface

Sections

.text
Size: 108KB - Virtual size: 104KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 16KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b3e950ecb87461dfd765dc122d13471a

Headers

File Characteristics

PDB Paths

Imports

kernel32

user32

storm

fog

d2win

d2sound

d2net

d2mcpclient

d2lang

d2gfx

bnclient

Exports

Exports

Sections

.text Size: 108KB - Virtual size: 104KB

.rdata Size: 16KB - Virtual size: 14KB

.data Size: 20KB - Virtual size: 32KB

.reloc Size: 16KB - Virtual size: 13KB

.text
Size: 108KB - Virtual size: 104KB

.rdata
Size: 16KB - Virtual size: 14KB

.data
Size: 20KB - Virtual size: 32KB

.reloc
Size: 16KB - Virtual size: 13KB