bcrypt[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

bcrypt.dll
Size

150KB
MD5

1f7b9d3bf099f7a34bd492be039fec91
SHA1

d33884ea4b9ebde8374f32b682dfd4b909e4ee2a
SHA256

d7f1ea828882a2d042b92ad30f564a2c7720c9abdf6f2e60acd108404ef7a491
SHA512

61b7fc8aea6fcde931b7c30b113c63a7d5232e27f645656380044d2eca84108cdab7b17bbb46af56c904a8e090817532eeaf929c89be493806c584639152e0f3
SSDEEP

3072:XP2IB+O4c3FfTgLzx9LpraGvmyJtAjp5iC/famHY:fxB+Pc3NTgLPprl73oHc

Score

1^/10

Malware Config

Signatures

Files

bcrypt.dll
.dll windows:6 windows x64 arch:x64

c104432e405147572fec04072f89c804

Code Sign

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03/02/2023, 00:05

Not After

01/02/2024, 00:05

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:b4:bd:2e:8d:a8:f0:52:40:34:95:1b:48:20:15:db:21:9f:ee:49:80:c8:1d:b3:b2:6f:a2:6f:ff:d1:4c:27
Signer

Actual PE Digest

0e:b4:bd:2e:8d:a8:f0:52:40:34:95:1b:48:20:15:db:21:9f:ee:49:80:c8:1d:b3:b2:6f:a2:6f:ff:d1:4c:27

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

bcrypt.pdb

Imports

ntdll

RtlDeleteCriticalSection
RtlReleaseResource
RtlLeaveCriticalSection
RtlInitializeCriticalSection
RtlAcquireResourceShared
RtlCaptureContext
NtTerminateProcess
RtlDeleteResource
RtlAllocateHeap
EtwGetTraceLoggerHandle
NtQueryValueKey
NtOpenKey
RtlEnterCriticalSection
NtClose
RtlFreeHeap
RtlNtStatusToDosError
EtwUnregisterTraceGuids
EtwEventUnregister
NtOpenFile
EtwRegisterTraceGuidsW
RtlInitUnicodeString
RtlAcquireResourceExclusive
RtlInitializeResource
_wcsicmp
RtlCompareUnicodeString
RtlImageNtHeader
EtwEventRegister
EtwGetTraceEnableFlags
NtDeviceIoControlFile
EtwGetTraceEnableLevel
LdrDisableThreadCalloutsForDll
EtwEventWrite
RtlUnhandledExceptionFilter
EtwTraceMessage
RtlVirtualUnwind
RtlLookupFunctionEntry
wcsncmp
__C_specific_handler
__chkstk
memcmp
memcpy
memset
wcscmp

api-ms-win-core-libraryloader-l1-2-0

LoadLibraryExW
FreeLibrary
GetProcAddress
GetModuleFileNameW

api-ms-win-core-errorhandling-l1-1-1

GetLastError

api-ms-win-core-synch-l1-2-0

LeaveCriticalSection
InitializeSRWLock
ReleaseSRWLockShared
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
AcquireSRWLockShared
EnterCriticalSection
InitializeCriticalSection
DeleteCriticalSection
CreateEventW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-processthreads-l1-1-2

OpenProcessToken
SetThreadStackGuarantee
GetCurrentProcess

api-ms-win-security-base-l1-2-0

PrivilegeCheck

api-ms-win-core-threadpool-legacy-l1-1-0

UnregisterWaitEx

api-ms-win-core-threadpool-private-l1-1-0

RegisterWaitForSingleObjectEx

api-ms-win-core-sysinfo-l1-2-1

GetSystemInfo
GetSystemDirectoryW

api-ms-win-core-memory-l1-1-2

VirtualProtect
VirtualAlloc
VirtualQuery

Exports

Exports

BCryptAddContextFunction
BCryptAddContextFunctionProvider
BCryptCloseAlgorithmProvider
BCryptConfigureContext
BCryptConfigureContextFunction
BCryptCreateContext
BCryptCreateHash
BCryptCreateMultiHash
BCryptDecrypt
BCryptDeleteContext
BCryptDeriveKey
BCryptDeriveKeyCapi
BCryptDeriveKeyPBKDF2
BCryptDestroyHash
BCryptDestroyKey
BCryptDestroySecret
BCryptDuplicateHash
BCryptDuplicateKey
BCryptEncrypt
BCryptEnumAlgorithms
BCryptEnumContextFunctionProviders
BCryptEnumContextFunctions
BCryptEnumContexts
BCryptEnumProviders
BCryptEnumRegisteredProviders
BCryptExportKey
BCryptFinalizeKeyPair
BCryptFinishHash
BCryptFreeBuffer
BCryptGenRandom
BCryptGenerateKeyPair
BCryptGenerateSymmetricKey
BCryptGetFipsAlgorithmMode
BCryptGetProperty
BCryptHashData
BCryptImportKey
BCryptImportKeyPair
BCryptKeyDerivation
BCryptOpenAlgorithmProvider
BCryptProcessMultiOperations
BCryptQueryContextConfiguration
BCryptQueryContextFunctionConfiguration
BCryptQueryContextFunctionProperty
BCryptQueryProviderRegistration
BCryptRegisterConfigChangeNotify
BCryptRegisterProvider
BCryptRemoveContextFunction
BCryptRemoveContextFunctionProvider
BCryptResolveProviders
BCryptSecretAgreement
BCryptSetAuditingInterface
BCryptSetContextFunctionProperty
BCryptSetProperty
BCryptSignHash
BCryptUnregisterConfigChangeNotify
BCryptUnregisterProvider
BCryptVerifySignature

Sections

.text
Size: 123KB - Virtual size: 123KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 56B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

c104432e405147572fec04072f89c804

Code Sign

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

0e:b4:bd:2e:8d:a8:f0:52:40:34:95:1b:48:20:15:db:21:9f:ee:49:80:c8:1d:b3:b2:6f:a2:6f:ff:d1:4c:27Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntdll

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-synch-l1-2-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-security-base-l1-2-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-threadpool-private-l1-1-0

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-memory-l1-1-2

Exports

Exports

Sections

.text Size: 123KB - Virtual size: 123KB

.data Size: 2KB - Virtual size: 2KB

.pdata Size: 6KB - Virtual size: 6KB

.idata Size: 3KB - Virtual size: 3KB

.rsrc Size: 3KB - Virtual size: 2KB

.reloc Size: 512B - Virtual size: 56B

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

0e:b4:bd:2e:8d:a8:f0:52:40:34:95:1b:48:20:15:db:21:9f:ee:49:80:c8:1d:b3:b2:6f:a2:6f:ff:d1:4c:27
Signer

.text
Size: 123KB - Virtual size: 123KB

.data
Size: 2KB - Virtual size: 2KB

.pdata
Size: 6KB - Virtual size: 6KB

.idata
Size: 3KB - Virtual size: 3KB

.rsrc
Size: 3KB - Virtual size: 2KB

.reloc
Size: 512B - Virtual size: 56B