era[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

era.dll
Size

6.9MB
MD5

5108142e67f5d365e9912dbef3d0a8fa
SHA1

0d811eed7afaee1a2822e8adcbe5f1a23d1ed052
SHA256

c1ed8beaa565faf5f7d0f3247db408abd6283227074ea42313ac24b7cfd912b3
SHA512

5ce08a3963711ba8d3df19ed3f6e51c5d6b9c97757eeb9dd4201c219f55690108c178701b20d7dc9b44dc1bdfc7bbf1fc8b6aa80ad24e48c5fe9e16a75ed7012
SSDEEP

98304:R+PZS4IL4xz50hE0cVgWS+K3CqVH4ddrdthxP:RaeMR5KcVg2K3bVY/dj

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
era.dll

Files

era.dll
.dll windows:6 windows x64 arch:x64

b98cd3ccb13768b5f8051031e2f7b277

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\Users\daniele\source\repos\fortmp-client\x64\Release\era.pdb

Imports

kernel32

SleepEx
SetEvent
CreateEventW
CreateIoCompletionPort
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
VerifyVersionInfoW
VerSetConditionMask
QueueUserAPC
TerminateThread
WaitForMultipleObjects
WideCharToMultiByte
GetModuleHandleA
TlsFree
TlsAlloc
CreateWaitableTimerW
AddVectoredExceptionHandler
RemoveVectoredExceptionHandler
GetModuleHandleW
RtlLookupFunctionEntry
VirtualQuery
CreateToolhelp32Snapshot
Process32FirstW
OpenProcess
K32GetModuleFileNameExW
Process32NextW
GetCurrentThreadId
SuspendThread
ResumeThread
GetThreadContext
SetThreadContext
FlushInstructionCache
VirtualAlloc
VirtualFree
FreeLibrary
ReleaseMutex
CreateMutexA
GetExitCodeThread
GetTickCount
InitializeCriticalSection
TryEnterCriticalSection
InitializeConditionVariable
WakeAllConditionVariable
SleepConditionVariableCS
HeapFree
GetProcessHeap
GlobalAlloc
GetSystemTimeAsFileTime
GlobalFree
ResetEvent
WaitForMultipleObjectsEx
CreateEventA
CancelWaitableTimer
SetThreadPriority
GetPriorityClass
GetVersionExA
CreateWaitableTimerA
QueryPerformanceCounter
QueryPerformanceFrequency
FormatMessageW
GetEnvironmentVariableA
SignalObjectAndWait
GetThreadPriority
GetCurrentProcess
WaitForSingleObject
VirtualProtect
GetCurrentThread
GetConsoleMode
GetStdHandle
TlsGetValue
GetModuleHandleExW
InitializeSRWLock
DecodePointer
LCMapStringEx
WriteFile
GetCurrentProcessId
GetProcAddress
RaiseException
ReleaseSRWLockExclusive
ReleaseSRWLockShared
AcquireSRWLockExclusive
AcquireSRWLockShared
GetFileType
GetSystemDirectoryA
GetEnvironmentVariableW
SwitchToFiber
DeleteFiber
CreateFiberEx
RtlVirtualUnwind
GetACP
ConvertFiberToThread
ConvertThreadToFiberEx
LoadLibraryW
SetConsoleMode
ReadConsoleA
ReadConsoleW
FindClose
FindFirstFileW
FindNextFileW
WaitForSingleObjectEx
RtlCaptureContext
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
IsDebuggerPresent
InitializeSListHead
GetSystemTime
SystemTimeToFileTime
FindFirstFileExW
GetFileAttributesExW
TlsSetValue
EnterCriticalSection
LeaveCriticalSection
SetWaitableTimer
SetLastError
GetQueuedCompletionStatus
PostQueuedCompletionStatus
GetLastError
FormatMessageA
LoadLibraryA
DeviceIoControl
CreateFileW
CloseHandle
CreateThread
Sleep
TerminateProcess
LocalFree
RtlPcToFileHeader
SleepConditionVariableSRW
WakeConditionVariable
InitOnceComplete
InitOnceBeginInitialize
SwitchToThread
InitializeCriticalSectionEx
GetFileInformationByHandleEx
AreFileApisANSI
CompareStringEx
GetCPInfo
GetLocaleInfoEx
EncodePointer
MultiByteToWideChar
GetStringTypeW

advapi32

RegisterEventSourceW
ReportEventW
CryptAcquireContextW
CryptReleaseContext
CryptDestroyKey
CryptSetHashParam
CryptGetProvParam
CryptGetUserKey
CryptExportKey
CryptDecrypt
CryptCreateHash
CryptDestroyHash
CryptSignHashW
CryptEnumProvidersW
DeregisterEventSource
RegQueryValueExW
RegSetKeyValueA
RegCreateKeyA
RegCloseKey
RegGetValueA
RegOpenKeyExA

ole32

StringFromCLSID
PropVariantClear
CoGetInterfaceAndReleaseStream
CoMarshalInterThreadInterfaceInStream
CoInitializeEx
CoSetProxyBlanket
CoCreateInstance
CoUninitialize
CoInitializeSecurity
CoInitialize
CoCreateGuid
CoTaskMemFree

oleaut32

VariantInit
SysAllocString
SysFreeString
VariantClear

ws2_32

closesocket
shutdown
WSAAddressToStringW
WSASetLastError
htons
getnameinfo
ntohs
getpeername
send
ntohl
WSARecv
select
recv
freeaddrinfo
setsockopt
ioctlsocket
getsockopt
WSAStartup
accept
__WSAFDIsSet
WSAGetLastError
connect
socket
listen
WSASocketW
getaddrinfo
inet_pton
WSACleanup
getsockname
WSASend
bind
getservbyname
getservbyport
gethostbyaddr
inet_addr
WSARecvFrom
WSASendTo
sendto
recvfrom
WSAPoll
inet_ntoa
gethostbyname
WSAIoctl
htonl

crypt32

CertCloseStore
CertGetCertificateContextProperty
CertDuplicateCertificateContext
CertFindCertificateInStore
CertOpenStore
CertOpenSystemStoreW
CertEnumCertificatesInStore
CertFreeCertificateContext

bcrypt

BCryptGenRandom

dbghelp

ImageNtHeader

iphlpapi

GetAdaptersAddresses

setupapi

SetupDiGetDeviceRegistryPropertyW
SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInterfaces
SetupDiGetDeviceInterfaceAlias
SetupDiGetDeviceInterfaceDetailW
SetupDiGetClassDevsA
SetupDiOpenDeviceInterfaceRegKey

winmm

waveOutOpen
waveOutGetErrorTextW
waveOutGetDevCapsW
waveOutGetNumDevs
timeEndPeriod
timeBeginPeriod
timeGetTime
waveInMessage
waveOutMessage
waveOutWrite
waveOutPause
waveOutClose
waveOutReset
waveOutGetPosition
waveInGetNumDevs
waveInGetDevCapsW
waveInOpen
waveInClose
waveInPrepareHeader
waveInUnprepareHeader
waveInAddBuffer
waveInStart
waveInReset
timeGetDevCaps
waveOutPrepareHeader
waveOutRestart
waveOutUnprepareHeader
waveInGetErrorTextW

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__std_terminate
__uncaught_exceptions
__AdjustPointer
__std_type_info_destroy_list
__std_exception_destroy
__current_exception_context
__uncaught_exception
__current_exception
strstr
__RTDynamicCast
memmove
memcmp
memchr
_CxxThrowException
memset
_purecall
memcpy
wcsstr
__std_type_info_compare
__C_specific_handler
strrchr
strchr
__std_exception_copy

api-ms-win-crt-runtime-l1-1-0

_invalid_parameter_noinfo_noreturn
_invalid_parameter_noinfo
signal
_beginthreadex
terminate
_exit
raise
strerror_s
abort
_seh_filter_dll
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_errno
_execute_onexit_table
_set_abort_behavior
_initterm_e
_initterm
_cexit
_crt_atexit
exit

api-ms-win-crt-convert-l1-1-0

strtol
strtoull
wcstol
strtoll
strtoul
strtod
atoi
strtof
wcstod

api-ms-win-crt-stdio-l1-1-0

fgetc
fread
_fseeki64
fgetpos
fputs
fopen
_wfopen
__stdio_common_vsprintf
_setmode
ftell
_wfsopen
_fileno
fgets
ferror
feof
fsetpos
setvbuf
fflush
fputc
fseek
__acrt_iob_func
__stdio_common_vfprintf
fwrite
fclose
_get_stream_buffer_pointers
ungetc
__stdio_common_vswprintf
__stdio_common_vsscanf
__stdio_common_vsprintf_s

api-ms-win-crt-heap-l1-1-0

calloc
free
malloc
realloc
_callnewh

api-ms-win-crt-filesystem-l1-1-0

_unlock_file
_lock_file
remove
_stat64i32

api-ms-win-crt-string-l1-1-0

strncpy_s
strncmp
wcsnlen
__strncnt
strncpy
wcsncpy
isxdigit
toupper
strcmp
_wcsicmp
_wcsnicmp
iswctype
towupper
islower
isspace
isupper
strcspn
tolower
wcsncmp
isdigit
_stricmp
strcpy_s
strcat_s
isalnum
_wcsdup
strspn

api-ms-win-crt-utility-l1-1-0

rand_s
srand
bsearch
rand
qsort

api-ms-win-crt-locale-l1-1-0

localeconv
___lc_codepage_func
setlocale
_lock_locales
_unlock_locales
__pctype_func
___mb_cur_max_func
___lc_locale_name_func
___lc_collate_cp_func

api-ms-win-crt-math-l1-1-0

powf
floor
ceil
pow
ceilf
sin
cos
log10
_dsign
ldexp
log
_dclass
sqrt
exp
frexp

api-ms-win-crt-time-l1-1-0

_W_Gettnames
_localtime64_s
_time64
strftime
_gmtime64_s
_Strftime
_Gettnames
_ftime64
_Getdays
_Getmonths
_W_Getdays
_W_Getmonths
_Wcsftime

api-ms-win-crt-environment-l1-1-0

getenv

user32

GetProcessWindowStation
MessageBoxW
GetUserObjectInformationW

Sections

.text
Size: 5.2MB - Virtual size: 5.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 90KB - Virtual size: 115KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 196KB - Virtual size: 196KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.detourc
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.detourd
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 47KB - Virtual size: 47KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b98cd3ccb13768b5f8051031e2f7b277

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

advapi32

ole32

oleaut32

ws2_32

crypt32

bcrypt

dbghelp

iphlpapi

setupapi

winmm

vcruntime140_1

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-environment-l1-1-0

user32

Sections

.text Size: 5.2MB - Virtual size: 5.2MB

.rdata Size: 1.3MB - Virtual size: 1.3MB

.data Size: 90KB - Virtual size: 115KB

.pdata Size: 196KB - Virtual size: 196KB

.detourc Size: 9KB - Virtual size: 8KB

.detourd Size: 512B - Virtual size: 24B

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 47KB - Virtual size: 47KB

.text
Size: 5.2MB - Virtual size: 5.2MB

.rdata
Size: 1.3MB - Virtual size: 1.3MB

.data
Size: 90KB - Virtual size: 115KB

.pdata
Size: 196KB - Virtual size: 196KB

.detourc
Size: 9KB - Virtual size: 8KB

.detourd
Size: 512B - Virtual size: 24B

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 47KB - Virtual size: 47KB