ReWire[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

ReWire.dll
Size

1.4MB
MD5

2f3f103405dec980cfa432ea93f92321
SHA1

4dc93f9aaba768a9c7d0473168831fe15d48fc85
SHA256

5b2c3a6727e4d1fcadec1e1ea0fa6055d1d041a52211cc75c2b0330f6a1754df
SHA512

4f7704bd77e336c11cc96f1dd45e2f4e98d78421b12696b89b887fec17027d543de0964177cc40114edb8c5b16b148ad24bb6e5bc9a09fce23f7daa34db5eb8f
SSDEEP

24576:uFxEKn67lrLcZNOHMpOn/rG6V0xmPyMbNzb:uo7Fg/pC2xm6yzb

Score

1^/10

Malware Config

Signatures

Files

ReWire.dll
.dll windows:5 windows x86 arch:x86

6f8f73d3790535c61959ecb492d51c4f

Code Sign

2b:32:50:47:a6:10:0e:8d:f6:fc:89:1f:0d:c6:75:7a
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

17/05/2013, 00:00

Not After

17/05/2015, 23:59

Subject

CN=Image Line,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Image Line,L=sint-martens-latem,ST=ovl,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

f7:e6:36:49:13:4a:fb:72:08:ad:c7:ff:f9:0a:97:78:ed:8a:fc:3e
Signer

Actual PE Digest

f7:e6:36:49:13:4a:fb:72:08:ad:c7:ff:f9:0a:97:78:ed:8a:fc:3e

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

d:\BuildMachine\Projects\ReWire\Dev\Output\ReWireDLL\Win32\Deployment\ReWire.pdb

Imports

winmm

timeGetTime

version

GetFileVersionInfoSizeW
VerQueryValueW
GetFileVersionInfoW

kernel32

Sleep
CreateFileA
GetCurrentProcess
GetCurrentProcessId
InterlockedExchangeAdd
InterlockedCompareExchange
CreateMutexW
WaitForSingleObject
GetLastError
ReleaseMutex
CreateEventW
SetEvent
TerminateThread
SetThreadIdealProcessor
SetThreadAffinityMask
GetProcessAffinityMask
GetCurrentThread
ResumeThread
SetThreadPriority
CreateThread
CompareStringW
MultiByteToWideChar
WideCharToMultiByte
GetACP
SetErrorMode
GetFileAttributesW
GetLongPathNameW
GetDriveTypeW
GetVolumeInformationW
GetDiskFreeSpaceExW
GetTempPathW
GetWindowsDirectoryW
MoveFileExW
GetTempFileNameW
CreateDirectoryW
GetTickCount
SetFileTime
GetFileTime
CreateFileW
DeleteFileW
SetFileAttributesW
OpenProcess
FindClose
FindFirstFileW
GetLogicalDriveStringsW
FindNextFileW
ReadFile
WriteFile
RemoveDirectoryW
GetModuleFileNameW
GetCurrentThreadId
GetSystemTimeAsFileTime
FreeLibrary
GetProcAddress
LoadLibraryW
SearchPathW
DisableThreadLibraryCalls
SetDllDirectoryW
GetDllDirectoryW
GetFullPathNameW
GetSystemInfo
GetVersionExW
FindResourceW
LoadLibraryExW
SizeofResource
LockResource
LoadResource
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
GetThreadPriority
OpenMutexA
CreateMutexA
UnmapViewOfFile
OpenFileMappingA
MapViewOfFile
CreateFileMappingA
SetEnvironmentVariableA
GetConsoleMode
GetConsoleCP
SetFilePointer
GetLocaleInfoW
GetProcessTimes
CloseHandle
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
FlushFileBuffers
GetFileSize
IsValidLocale
EnumSystemLocalesA
GetUserDefaultLCID
GetStringTypeA
QueryPerformanceCounter
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStrings
InterlockedIncrement
InterlockedDecrement
InterlockedExchange
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
GetLocaleInfoA
RtlUnwind
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RaiseException
HeapFree
GetModuleHandleW
ExitProcess
GetTimeFormatA
GetDateFormatA
GetCommandLineA
LCMapStringA
LCMapStringW
GetCPInfo
GetStringTypeW
CompareStringA
SetLastError
HeapSize
HeapAlloc
GetStdHandle
GetModuleFileNameA
GetModuleHandleA
HeapCreate
HeapDestroy
VirtualFree
FatalAppExitA
VirtualAlloc
HeapReAlloc
GetOEMCP
IsValidCodePage
SetConsoleCtrlHandler
LoadLibraryA
InitializeCriticalSectionAndSpinCount
GetTimeZoneInformation
SetHandleCount
GetFileType
GetStartupInfoA
FreeEnvironmentStringsA

user32

CharLowerBuffW
CharUpperBuffW
wsprintfW

advapi32

RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyA
RegOpenKeyA
RegCloseKey
RegSetValueExA
RegQueryValueExW
RegOpenKeyExA

shell32

SHGetSpecialFolderLocation
SHGetMalloc
SHGetPathFromIDListW

ole32

CoInitialize
CoUninitialize
CoCreateInstance

Exports

Exports

RWDCloseImp
RWDComBytesAvailableImp
RWDComCheckConnectionImp
RWDComCreateImp
RWDComDestroyImp
RWDComDoesMessageFitImp
RWDComReadImp
RWDComSendImp
RWDIsCloseOKImp
RWDOpenImp
RWIsReWireMixerAppRunningImp
RWM2CloseDeviceImp
RWM2CloseImp
RWM2DriveAudioImp
RWM2GetControllerInfoImp
RWM2GetDeviceCountImp
RWM2GetDeviceInfoByHandleImp
RWM2GetDeviceInfoImp
RWM2GetEventBusInfoImp
RWM2GetEventChannelInfoImp
RWM2GetEventInfoImp
RWM2GetNoteInfoImp
RWM2IdleImp
RWM2IsCloseDeviceOKImp
RWM2IsCloseOKImp
RWM2IsPanelAppLaunchedImp
RWM2LaunchPanelAppImp
RWM2OpenDeviceImp
RWM2OpenImp
RWM2QuitPanelAppImp
RWM2SetAudioInfoImp
RWMCloseDeviceImp
RWMCloseImp
RWMDriveAudioImp
RWMGetDeviceCountImp
RWMGetDeviceInfoByHandleImp
RWMGetDeviceInfoImp
RWMIdleImp
RWMIsCloseDeviceOKImp
RWMIsCloseOKImp
RWMOpenDeviceImp
RWMOpenImp
RWPCloseImp
RWPComBytesAvailableImp
RWPComCheckConnectionImp
RWPComConnectImp
RWPComDisconnectImp
RWPComDoesMessageFitImp
RWPComReadImp
RWPComSendImp
RWPIsCloseOKImp
RWPLoadDeviceImp
RWPOpenImp
RWPRegisterDeviceImp
RWPRegisterReWireDeviceImp
RWPUnloadDeviceImp
RWPUnregisterDeviceImp
RWPUnregisterReWireDeviceImp
TopHatCloseDeviceImp
TopHatCloseImp
TopHatDriveAudioImp
TopHatGetDeviceCountImp
TopHatGetDeviceInfoImp
TopHatIdleImp
TopHatIsCloseDeviceOKImp
TopHatIsCloseOKImp
TopHatOpenDeviceImp
TopHatOpenImp

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 226KB - Virtual size: 226KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 18KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 49KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

6f8f73d3790535c61959ecb492d51c4f

Code Sign

2b:32:50:47:a6:10:0e:8d:f6:fc:89:1f:0d:c6:75:7aCertificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

f7:e6:36:49:13:4a:fb:72:08:ad:c7:ff:f9:0a:97:78:ed:8a:fc:3eSigner

Headers

File Characteristics

PDB Paths

Imports

winmm

version

kernel32

user32

advapi32

shell32

ole32

Exports

Exports

Sections

.text Size: 1.1MB - Virtual size: 1.1MB

.rdata Size: 226KB - Virtual size: 226KB

.data Size: 18KB - Virtual size: 38KB

.idata Size: 6KB - Virtual size: 5KB

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 49KB - Virtual size: 48KB

2b:32:50:47:a6:10:0e:8d:f6:fc:89:1f:0d:c6:75:7a
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

f7:e6:36:49:13:4a:fb:72:08:ad:c7:ff:f9:0a:97:78:ed:8a:fc:3e
Signer

.text
Size: 1.1MB - Virtual size: 1.1MB

.rdata
Size: 226KB - Virtual size: 226KB

.data
Size: 18KB - Virtual size: 38KB

.idata
Size: 6KB - Virtual size: 5KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 49KB - Virtual size: 48KB