urlproc[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

urlproc.dll
Size

707KB
MD5

c2eae44c9c891f8882ac529218a3381b
SHA1

d68a35ba3467a99bacc721fa7d2c627d56285db3
SHA256

46be63404064f5be981b723ae541bbaef577c8b709a95a05cd964d9e600c02f4
SHA512

d71cee7f5af8ff025890231a7dea59cd3b3be61d792ec57553c84f31041cc2cc426eedf5cfc4c083cb8529ab1b68ea5a20dc4cdba69df36ff8137e75dc7d15a3
SSDEEP

12288:77/kjnXdheGdstZGdPMaM04WlYevI6ao/cs++asPACI4/XfIlo9Tix9/HF:7DkjnrIevD/cZ+XACI4/fIW9Tix9/HF

Score

1^/10

Malware Config

Signatures

Files

urlproc.dll
.dll regsvr32 windows:5 windows x86 arch:x86

724f57ef7bcea712f39d8a26ee673f64

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

26:27:9f:0f:2f:11:97:0d:cc:f6:3e:ba:88:f2:d4:c4
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

06/01/2016, 00:00

Not After

28/03/2019, 23:59

Subject

CN=Qihoo 360 Software (Beijing) Company Limited,OU=Tech. Dev. Dept.,O=Qihoo 360 Software (Beijing) Company Limited,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

23:38:91:61:e4:5a:21:8b:d2:4e:6e:85:9a:e1:11:53
Certificate

Issuer

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

28/12/2015, 00:00

Not After

28/03/2019, 23:59

Subject

CN=Qihoo 360 Software (Beijing) Company Limited,OU=Tech. Dev. Dept.,O=Qihoo 360 Software (Beijing) Company Limited,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

10/12/2013, 00:00

Not After

09/12/2023, 23:59

Subject

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

55:45:ca:02:24:61:90:d9:79:ee:b4:0d:b9:ff:bc:18
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

11/06/2015, 00:00

Not After

29/12/2020, 23:59

Subject

CN=GeoTrust 2048-bit Timestamping Signer 3,O=GeoTrust Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

01/01/1997, 00:00

Not After

31/12/2020, 23:59

Subject

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

dc:37:d3:74:af:c4:4f:94:d2:71:85:49:14:bc:1c:53:07:fb:2a:a0:c2:70:80:e8:5f:c1:53:94:8e:34:e0:22
Signer

Actual PE Digest

dc:37:d3:74:af:c4:4f:94:d2:71:85:49:14:bc:1c:53:07:fb:2a:a0:c2:70:80:e8:5f:c1:53:94:8e:34:e0:22

Digest Algorithm

sha256

PE Digest Matches

true

0f:32:8b:57:ab:8c:c6:37:dd:7d:f9:3a:5c:2b:ee:57:b6:73:8c:9e
Signer

Actual PE Digest

0f:32:8b:57:ab:8c:c6:37:dd:7d:f9:3a:5c:2b:ee:57:b6:73:8c:9e

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

C:\vmagent_new\bin\joblist\140443\out\Release\urlproc.pdb

Imports

kernel32

LeaveCriticalSection
CloseHandle
InterlockedCompareExchange
Sleep
InterlockedExchange
GetTickCount
CreateThread
WaitForSingleObject
lstrcmpiA
CreateFileW
GetFileSize
WideCharToMultiByte
GetPrivateProfileIntA
GetPrivateProfileStringA
LocalFree
UnmapViewOfFile
DebugBreak
OutputDebugStringW
LoadLibraryW
lstrcpynA
GlobalAlloc
GlobalFree
WaitForMultipleObjects
CreateEventW
SetEvent
IsBadReadPtr
lstrcmpA
ReadFile
WriteFile
GetVersionExW
CreateDirectoryW
OpenMutexW
CreateMutexW
ReleaseMutex
DeleteFileW
GetSystemTime
SystemTimeToFileTime
GetFileTime
CompareFileTime
SetFilePointer
MapViewOfFileEx
CreateFileMappingW
OpenFileMappingW
GetFileAttributesExW
GetPrivateProfileSectionW
GetModuleFileNameA
FindAtomW
lstrcmpiW
EnterCriticalSection
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
GetLocaleInfoW
LoadLibraryA
InitializeCriticalSectionAndSpinCount
GetModuleHandleA
FlushFileBuffers
GetConsoleMode
GetConsoleCP
DisableThreadLibraryCalls
GetProcAddress
GetLastError
RaiseException
lstrlenW
MultiByteToWideChar
GetModuleFileNameW
SizeofResource
InitializeCriticalSection
GetModuleHandleW
InterlockedDecrement
InterlockedIncrement
LoadLibraryExW
LoadResource
DeleteAtom
TlsAlloc
AddAtomW
GetStringTypeW
GetStringTypeA
IsValidLocale
EnumSystemLocalesA
GetLocaleInfoA
OpenThread
GetAtomNameW
TlsSetValue
GetProcessHeap
HeapFree
HeapAlloc
TlsGetValue
GetCurrentThreadId
SetLastError
FormatMessageW
GetFileSizeEx
SetFilePointerEx
LocalFileTimeToFileTime
GetSystemTimeAsFileTime
CreateFileA
lstrlenA
SetStdHandle
DeleteCriticalSection
GetUserDefaultLCID
GetCurrentProcessId
QueryPerformanceCounter
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
GetStartupInfoA
GetFileType
SetHandleCount
IsValidCodePage
GetOEMCP
GetACP
HeapSize
GetStdHandle
ExitProcess
VirtualFree
HeapDestroy
HeapCreate
GetCPInfo
LCMapStringW
LCMapStringA
RtlUnwind
GetCommandLineA
HeapReAlloc
VirtualQuery
GetSystemInfo
VirtualAlloc
VirtualProtect
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
InterlockedExchangeAdd
TlsFree
FreeLibrary
FindResourceW
DeviceIoControl

user32

CharNextW
IsWindow
SendMessageW
LoadStringW
CharLowerA
CharLowerW

advapi32

RegQueryInfoKeyW
RegCreateKeyExW
ConvertStringSecurityDescriptorToSecurityDescriptorA
RegQueryValueExW
CryptReleaseContext
CryptGenRandom
CryptAcquireContextW
RegSetValueExW
RegCloseKey
RegEnumKeyExW
RegOpenKeyExW
RegDeleteValueW
RegDeleteKeyW
RegQueryValueExA

shell32

SHGetSpecialFolderPathW
SHGetFolderPathW

ole32

CoTaskMemAlloc
CoCreateInstance
CoTaskMemFree
CoTaskMemRealloc

oleaut32

SafeArrayPutElement
VarUI4FromStr
SafeArrayCreate
VariantInit

shlwapi

SHGetValueW
PathCombineW
SHGetValueA
StrCpyNW
PathFileExistsW
UrlGetPartA
StrDupA
StrStrIA
StrCmpNIA
PathRemoveFileSpecA
PathCombineA
PathRemoveFileSpecW
StrChrA
StrCmpNIW

iphlpapi

GetIpAddrTable
GetNetworkParams

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

wininet

InternetOpenA
InternetSetOptionA
InternetConnectA
HttpOpenRequestA
InternetCloseHandle
InternetReadFile
HttpQueryInfoA
HttpEndRequestW
InternetWriteFile
HttpSendRequestExA
HttpAddRequestHeadersA

ws2_32

inet_ntoa
ntohl
WSAStartup
gethostbyname
htonl
htons
ntohs
getaddrinfo
freeaddrinfo
socket
connect
closesocket
send
recv
WSAGetLastError
inet_addr

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
QH360UrlLibAttachObject
QH360UrlLibAttachObjectV2
QH360UrlLibCreateResultParser
StartCleaner
StopCleaner

Sections

.text
Size: 549KB - Virtual size: 549KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 91KB - Virtual size: 91KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 29KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.MAGIC
Size: 512B - Virtual size: 44B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.SHARE
Size: 512B - Virtual size: 144B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

724f57ef7bcea712f39d8a26ee673f64

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

26:27:9f:0f:2f:11:97:0d:cc:f6:3e:ba:88:f2:d4:c4Certificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

23:38:91:61:e4:5a:21:8b:d2:4e:6e:85:9a:e1:11:53Certificate

Extended Key Usages

Key Usages

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2aCertificate

Extended Key Usages

Key Usages

55:45:ca:02:24:61:90:d9:79:ee:b4:0d:b9:ff:bc:18Certificate

Extended Key Usages

Key Usages

Certificate

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

dc:37:d3:74:af:c4:4f:94:d2:71:85:49:14:bc:1c:53:07:fb:2a:a0:c2:70:80:e8:5f:c1:53:94:8e:34:e0:22Signer

0f:32:8b:57:ab:8c:c6:37:dd:7d:f9:3a:5c:2b:ee:57:b6:73:8c:9eSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

shell32

ole32

oleaut32

shlwapi

iphlpapi

version

wininet

ws2_32

Exports

Exports

Sections

.text Size: 549KB - Virtual size: 549KB

.rdata Size: 91KB - Virtual size: 91KB

.data Size: 16KB - Virtual size: 29KB

.MAGIC Size: 512B - Virtual size: 44B

.SHARE Size: 512B - Virtual size: 144B

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 32KB - Virtual size: 32KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

26:27:9f:0f:2f:11:97:0d:cc:f6:3e:ba:88:f2:d4:c4
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

23:38:91:61:e4:5a:21:8b:d2:4e:6e:85:9a:e1:11:53
Certificate

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

55:45:ca:02:24:61:90:d9:79:ee:b4:0d:b9:ff:bc:18
Certificate

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

dc:37:d3:74:af:c4:4f:94:d2:71:85:49:14:bc:1c:53:07:fb:2a:a0:c2:70:80:e8:5f:c1:53:94:8e:34:e0:22
Signer

0f:32:8b:57:ab:8c:c6:37:dd:7d:f9:3a:5c:2b:ee:57:b6:73:8c:9e
Signer

.text
Size: 549KB - Virtual size: 549KB

.rdata
Size: 91KB - Virtual size: 91KB

.data
Size: 16KB - Virtual size: 29KB

.MAGIC
Size: 512B - Virtual size: 44B

.SHARE
Size: 512B - Virtual size: 144B

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 32KB - Virtual size: 32KB