MobServe[.]dll

Sharing

Copy URL

Twitter E-mail

General

Target

MobServe.dll
Size

3.4MB
MD5

2ae05a3d182aa9520dfc87dd1afb05c1
SHA1

8e96ae86b69d55d20f45b11acfa19561691da6bd
SHA256

07a390b83f2d5eb0f9a421c479133b73d94deffad7a0707fb364cb12cb303cca
SHA512

89f8faf1b89d72a4c4f1115c32c4132a6f0b454b64e4e0eceb3de2e04a54fbcab48461611b12f52269283cb6993d16dc4dac8bafa87e6a2a86ba91ebd2a2a111
SSDEEP

49152:6cT9Cb6rx4ybcj53jjig8kGDwm/AIRQjLz4c+M6aAjidP1zbUzZZ6Z4eCQ1vG:6cT9Cuqlzjt9GDw+IBvLEMbd

Score

3^/10

Malware Config

Signatures

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
sample	embeds_openssl

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
MobServe.dll

Files

MobServe.dll
.dll windows:6 windows x86 arch:x86

a8e3d4f150ae6f324f5cfeda34a067fa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

ws2_32

closesocket
bind
accept
send
recv
WSASetLastError
getservbyname
getservbyport
gethostbyaddr
inet_ntoa
listen
sendto
WSACloseEvent
WSACreateEvent
WSAEnumNetworkEvents
WSACleanup
WSAGetLastError
htonl
htons
getpeername
setsockopt
socket
shutdown
recvfrom
ioctlsocket
inet_addr
WSAEventSelect
WSAResetEvent
WSAWaitForMultipleEvents
inet_pton
inet_ntop
WSAIoctl
__WSAFDIsSet
getaddrinfo
freeaddrinfo
gethostname
WSAStartup
gethostbyname
select
ntohs
getsockopt
getsockname
connect

kernel32

ReadFile
WriteFile
GetTempPathW
GetTempPathA
GetTempFileNameA
CloseHandle
GetLastError
QueryPerformanceCounter
QueryPerformanceFrequency
InitializeCriticalSectionEx
DeleteCriticalSection
WaitForSingleObject
Sleep
GetCurrentProcess
ExitProcess
CreateThread
CreateProcessW
GetSystemInfo
VirtualAlloc
DisableThreadLibraryCalls
FreeLibrary
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
LoadLibraryA
CopyFileA
MoveFileExW
GetStdHandle
GetFileType
GetModuleHandleW
MultiByteToWideChar
SetLastError
InitializeSRWLock
ReleaseSRWLockExclusive
ReleaseSRWLockShared
AcquireSRWLockExclusive
AcquireSRWLockShared
GetCurrentThreadId
GetFileSize
TlsGetValue
TlsSetValue
TlsFree
GetEnvironmentVariableW
GetModuleHandleExW
GetCurrentProcessId
GetSystemTimeAsFileTime
VirtualFree
CreateFileW
WideCharToMultiByte
GetACP
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
ReleaseSemaphore
GetExitCodeThread
CreateSemaphoreA
GetSystemDirectoryA
FormatMessageA
LoadLibraryW
GetSystemTime
SystemTimeToFileTime
FindClose
FindFirstFileW
FindNextFileW
GetConsoleMode
SetConsoleMode
ReadConsoleA
ReadConsoleW
FlushFileBuffers
GetTickCount
MapViewOfFile
CreateFileMappingW
GetProcessHeap
LocalFree
UnlockFile
HeapDestroy
HeapCompact
HeapAlloc
HeapReAlloc
DeleteFileW
DeleteFileA
WaitForSingleObjectEx
CreateFileA
FlushViewOfFile
OutputDebugStringW
GetFileAttributesExW
GetFileAttributesA
GetDiskFreeSpaceA
FormatMessageW
HeapSize
HeapValidate
UnmapViewOfFile
GetFileAttributesW
CreateMutexW
UnlockFileEx
SetEndOfFile
GetFullPathNameA
SetFilePointer
LockFile
OutputDebugStringA
GetDiskFreeSpaceW
GetFullPathNameW
HeapFree
HeapCreate
AreFileApisANSI
RaiseException
GetVersion
SetEvent
CreateEventW
GetSystemDirectoryW
GetEnvironmentVariableA
PeekNamedPipe
WaitForMultipleObjects
SleepEx
VerSetConditionMask
VerifyVersionInfoW
GetFileSizeEx
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
InitializeSListHead
TlsAlloc
LockFileEx

user32

MessageBoxA
GetUserObjectInformationW
GetProcessWindowStation
FindWindowW
MessageBoxW
ShowWindow

shell32

SHGetKnownFolderPath

ole32

CoTaskMemFree

advapi32

OpenProcessToken
CryptEncrypt
CryptImportKey
CryptGetHashParam
AdjustTokenPrivileges
LookupPrivilegeValueA
GetUserNameA
CryptAcquireContextW
CryptReleaseContext
CryptDestroyKey
CryptDecrypt
CryptCreateHash
CryptAcquireContextA
CryptHashData
CryptDestroyHash
DeregisterEventSource
RegisterEventSourceW
ReportEventW
CryptGenRandom
CryptSetHashParam
CryptGetProvParam
CryptGetUserKey
CryptExportKey
CryptSignHashW
CryptEnumProvidersW

msvcp140

?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDXZ
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ
?width@ios_base@std@@QBE_JXZ
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?uncaught_exception@std@@YA_NXZ
?_Xlength_error@std@@YAXPBD@Z
?good@ios_base@std@@QBE_NXZ
?flags@ios_base@std@@QBEHXZ
?width@ios_base@std@@QAE_J_J@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z

crypt32

CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore
CertOpenStore
CryptUnprotectData
CertDuplicateCertificateContext
CertFreeCertificateContext
CertGetCertificateContextProperty
CertOpenSystemStoreW
CryptStringToBinaryW
PFXImportCertStore
CryptDecodeObjectEx
CertAddCertificateContextToStore
CertFindExtension
CertGetNameStringW
CryptQueryObject
CertCreateCertificateChainEngine
CertFreeCertificateChainEngine
CertFreeCertificateChain
CertGetCertificateChain

bcrypt

BCryptGenRandom

vcruntime140

wcschr
strchr
wcsstr
strstr
memset
memmove
memcpy
__CxxFrameHandler3
_CxxThrowException
__std_exception_destroy
__std_exception_copy
strrchr
__std_terminate
_except_handler4_common
memchr
__std_type_info_destroy_list

api-ms-win-crt-runtime-l1-1-0

__sys_errlist
raise
_initialize_narrow_environment
strerror_s
__sys_nerr
_initialize_onexit_table
_configure_narrow_argv
_errno
abort
_register_onexit_function
_seh_filter_dll
_execute_onexit_table
signal
_crt_atexit
_beginthreadex
_endthreadex
_cexit
_exit
_initterm
_initterm_e
_invalid_parameter_noinfo_noreturn

api-ms-win-crt-string-l1-1-0

wcsncpy
strpbrk
wcsncmp
wcspbrk
_wcsdup
_strnicmp
strcmp
strncpy
_strdup
strncmp
strspn
strcspn
isdigit
strncpy_s
strcat_s
strcpy_s
isspace
tolower

api-ms-win-crt-heap-l1-1-0

_callnewh
free
_msize
malloc
realloc
calloc

api-ms-win-crt-utility-l1-1-0

qsort
srand
rand

api-ms-win-crt-stdio-l1-1-0

fread
_close
_read
fopen
_wfopen
fputs
fseek
_fseeki64
fflush
ftell
_setmode
fclose
_fileno
fgets
ferror
fopen_s
__acrt_iob_func
feof
fwrite
__stdio_common_vswprintf
__stdio_common_vsprintf_s
__stdio_common_vsscanf
__stdio_common_vsprintf
_wopen
__stdio_common_vfprintf
setvbuf
fputc
_write
_lseeki64

api-ms-win-crt-filesystem-l1-1-0

_fstat64
_stat64i32
_unlink
_wstat64

api-ms-win-crt-time-l1-1-0

_localtime64_s
_time64
_gmtime64_s
_gmtime64
strftime

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-convert-l1-1-0

strtoul
strtol
atoi
strtoull
strtoll
wcstombs
strtod

api-ms-win-crt-math-l1-1-0

_fdopen
_dclass

api-ms-win-crt-locale-l1-1-0

setlocale

Exports

Exports

ExportFunction

Sections

.text
Size: 2.6MB - Virtual size: 2.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 618KB - Virtual size: 617KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 17KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 115KB - Virtual size: 114KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a8e3d4f150ae6f324f5cfeda34a067fa

Headers

DLL Characteristics

File Characteristics

Imports

ws2_32

kernel32

user32

shell32

ole32

advapi32

msvcp140

crypt32

bcrypt

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

Exports

Exports

Sections

.text Size: 2.6MB - Virtual size: 2.6MB

.rdata Size: 618KB - Virtual size: 617KB

.data Size: 17KB - Virtual size: 25KB

.reloc Size: 115KB - Virtual size: 114KB

.text
Size: 2.6MB - Virtual size: 2.6MB

.rdata
Size: 618KB - Virtual size: 617KB

.data
Size: 17KB - Virtual size: 25KB

.reloc
Size: 115KB - Virtual size: 114KB