FirewallOfflineAPI[.]dll

Sharing

Copy URL

Twitter E-mail

General

Target

FirewallOfflineAPI.dll
Size

206KB
MD5

2e9263a513819a1c6e24b59ef80d23f3
SHA1

67e13674cdc24c38c76c5e7a320c20d5b5d9e66e
SHA256

253cd49ac4e0b1674922d0c800e4540ba6f1291bb4eae9d47fae800f86a7ddbe
SHA512

62d5f30165a374700062df32907cd05a12dc4fc54e70c76425c6e23285a971df0a52045fcf1a0efeca960de6dda4c09d8f73383ee3ed0a8ccc7c581076b043b2
SSDEEP

3072:AaEI8hUtoqZRVhSKMN+dF7Bwa8BKRWOuFxSoYu1U/A2Y4/rFu1GN3E6O:b3dnhSKMNekdxSI4nY4/M1GNq

Score

1^/10

Malware Config

Signatures

Files

FirewallOfflineAPI.dll
.dll windows:10 windows x86 arch:x86

b985d90f788e2cad9ce334d84030f768

Code Sign

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03/02/2023, 00:05

Not After

01/02/2024, 00:05

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

5a:a6:a6:25:93:14:18:68:25:ee:b6:70:41:cd:da:df:1b:4c:07:8e:5f:b4:a6:29:8b:82:3c:8b:9b:cf:ad:4b
Signer

Actual PE Digest

5a:a6:a6:25:93:14:18:68:25:ee:b6:70:41:cd:da:df:1b:4c:07:8e:5f:b4:a6:29:8b:82:3c:8b:9b:cf:ad:4b

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

FirewallOfflineAPI.pdb

Imports

msvcrt

_amsg_exit
towupper
free
malloc
_initterm
wcspbrk
iswalpha
qsort
?terminate@@YAXXZ
??1type_info@@UAE@XZ
_XcptFilter
_lock
_unlock
wcschr
__dllonexit
_ultow
wcstoul
_wcsnicmp
_onexit
memmove
__CxxFrameHandler3
iswdigit
memcpy
memcmp
_CxxThrowException
wcsncmp
_wcsicmp
_except_handler4_common
memmove_s
??0exception@@QAE@ABV0@@Z
??0exception@@QAE@XZ
_vsnprintf_s
memcpy_s
_vsnwprintf
??3@YAXPAX@Z
??1exception@@UAE@XZ
_purecall
memset

api-ms-win-core-libraryloader-l1-1-0

GetModuleHandleW
LoadLibraryExW
FreeLibrary
DisableThreadLibraryCalls
GetProcAddress
GetModuleHandleExW
GetModuleFileNameA
LoadStringW

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
TerminateProcess

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapAlloc
HeapFree

api-ms-win-core-debug-l1-1-0

DebugBreak
IsDebuggerPresent
OutputDebugStringW

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
SetLastError
GetLastError
UnhandledExceptionFilter

api-ms-win-core-synch-l1-1-0

InitializeCriticalSectionAndSpinCount
CreateSemaphoreExW
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
LeaveCriticalSection
AcquireSRWLockShared
ReleaseSRWLockShared
ReleaseSemaphore
CreateMutexExW
ReleaseMutex
WaitForSingleObjectEx
OpenSemaphoreW
WaitForSingleObject
DeleteCriticalSection
InitializeCriticalSectionEx
EnterCriticalSection

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-threadpool-l1-2-0

SetThreadpoolTimer
CloseThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CreateThreadpoolTimer

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-string-l1-1-0

CompareStringW
CompareStringOrdinal

api-ms-win-core-heap-obsolete-l1-1-0

LocalFree

api-ms-win-core-registry-l1-1-0

RegOpenKeyExW
RegQueryInfoKeyW
RegSetValueExW
RegDeleteValueW
RegQueryValueExW
RegCreateKeyExW
RegEnumKeyExW
RegEnumValueW
RegCloseKey

api-ms-win-core-com-l1-1-0

CoTaskMemFree
StringFromCLSID
CoCreateGuid
StringFromGUID2
CLSIDFromString

api-ms-win-core-sysinfo-l1-1-0

GetTickCount64
GetVersionExW
GetSystemTimeAsFileTime
GetTickCount

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSecurityDescriptorToStringSecurityDescriptorW
ConvertSidToStringSidW
ConvertStringSidToSidW

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer

api-ms-win-eventing-classicprovider-l1-1-0

TraceMessage

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW

api-ms-win-core-shlwapi-obsolete-l1-1-0

SHLoadIndirectString

api-ms-win-core-shlwapi-legacy-l1-1-0

PathCanonicalizeW

api-ms-win-core-file-l1-1-0

GetLongPathNameW

api-ms-win-security-base-l1-1-0

IsValidSecurityDescriptor
GetSecurityDescriptorDacl
GetAce

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

ntdll

RtlIpv6AddressToStringW
RtlCopySid
RtlLengthSid
RtlIpv6StringToAddressW
RtlIpv4StringToAddressW
EtwTraceMessage
RtlIpv4AddressToStringW

ws2_32

htonl
ntohl

Exports

Exports

FwAddRule
FwAlloc
FwAllocCheckSize
FwClosePolicyStore
FwDeleteRule
FwEnumRules
FwFree
FwFreeRules
FwOpenOfflinePolicyStore
FwSetRule

Sections

.text
Size: 161KB - Virtual size: 161KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 15KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b985d90f788e2cad9ce334d84030f768

Code Sign

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

5a:a6:a6:25:93:14:18:68:25:ee:b6:70:41:cd:da:df:1b:4c:07:8e:5f:b4:a6:29:8b:82:3c:8b:9b:cf:ad:4bSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

api-ms-win-core-libraryloader-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-shlwapi-obsolete-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-profile-l1-1-0

ntdll

ws2_32

Exports

Exports

Sections

.text Size: 161KB - Virtual size: 161KB

.data Size: 15KB - Virtual size: 16KB

.idata Size: 5KB - Virtual size: 5KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 12KB - Virtual size: 11KB

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

5a:a6:a6:25:93:14:18:68:25:ee:b6:70:41:cd:da:df:1b:4c:07:8e:5f:b4:a6:29:8b:82:3c:8b:9b:cf:ad:4b
Signer

.text
Size: 161KB - Virtual size: 161KB

.data
Size: 15KB - Virtual size: 16KB

.idata
Size: 5KB - Virtual size: 5KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 12KB - Virtual size: 11KB