RogueKillerDLL[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

RogueKillerDLL.dll
Size

4.9MB
MD5

548947545d54210ded4c8d4a303a077c
SHA1

cec0dc8e5a79b895a3a67e7752832781320d4bd3
SHA256

31635fd58a8b3f63b6ed837bac7c6f35c255214b829479ef9c3adf5df4426dc7
SHA512

213e0feef95564f8fad924f5d2ddcfc45d91a2e2f873588868b135a79e70dd409dbdc13990fa6e7255cc8c64d28931526c193477deaa93da64e6e2566f599cad
SSDEEP

49152:OYJpPEWv3ddkWpslFvNx1vWmKoRtQPayNvz9Y1TAHvhQR2CtZU6EOP3Lu1i2TSu2:+Wv33/aNx1O+QPpvz9XH5Q8CIcu1a

Score

1^/10

Malware Config

Signatures

Files

RogueKillerDLL.dll
.dll windows:5 windows x86 arch:x86

5e22fa1b056632cbc031481c4e9c38b9

Code Sign

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16
Certificate

Issuer

CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

25/05/2021, 00:00

Not After

31/12/2028, 23:59

Subject

CN=Sectigo Public Code Signing Root R46,O=Sectigo Limited,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

62:1d:6d:0c:52:01:9e:3b:90:79:15:20:89:21:1c:0a
Certificate

Issuer

CN=Sectigo Public Code Signing Root R46,O=Sectigo Limited,C=GB

Not Before

22/03/2021, 00:00

Not After

21/03/2036, 23:59

Subject

CN=Sectigo Public Code Signing CA R36,O=Sectigo Limited,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

18:39:af:85:74:aa:0e:80:c3:71:d9:80:34:61:dd:7b
Certificate

Issuer

CN=Sectigo Public Code Signing CA R36,O=Sectigo Limited,C=GB

Not Before

13/01/2022, 00:00

Not After

12/01/2025, 23:59

Subject

CN=ADLICE,O=ADLICE,ST=Loire-Atlantique,C=FR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

21/09/2022, 00:00

Not After

21/11/2033, 23:59

Subject

CN=DigiCert Timestamp 2022 - 2,O=DigiCert,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

b2:56:a7:44:52:7a:ea:13:de:11:d5:df:f4:a2:9b:30:1e:b7:28:b4
Signer

Actual PE Digest

b2:56:a7:44:52:7a:ea:13:de:11:d5:df:f4:a2:9b:30:1e:b7:28:b4

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

E:\Adlice\RogueKillerPE\RelWithDebInfo\roguekillerdll.pdb

Imports

ws2_32

freeaddrinfo
getnameinfo
WSAIoctl
getaddrinfo

kernel32

Module32FirstW
Module32NextW
InterlockedDecrement
DefineDosDeviceW
SetHandleInformation
PeekNamedPipe
CreateNamedPipeW
CancelIo
GetModuleFileNameA
GetEnvironmentVariableW
OutputDebugStringA
GetVersionExA
SetFilePointer
LoadLibraryExW
GetCurrentThreadId
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleExW
GetStdHandle
SwitchToFiber
DeleteFiber
CreateFiber
QueryPerformanceCounter
GetSystemTimeAsFileTime
ConvertFiberToThread
ConvertThreadToFiber
LoadLibraryA
GetConsoleMode
SetConsoleMode
ReadConsoleA
ReadConsoleW
FormatMessageA
InitializeCriticalSection
SleepEx
QueryPerformanceFrequency
GetSystemDirectoryA
VerifyVersionInfoA
ExpandEnvironmentStringsA
CreateFileMappingA
SwitchToThread
GetTempPathA
HeapValidate
CreateMutexW
UnlockFileEx
LockFile
AreFileApisANSI
CreateFileA
GetDiskFreeSpaceW
GetFileSize
HeapDestroy
InterlockedIncrement
FindResourceW
SizeofResource
LoadResource
LockResource
GetFileSizeEx
GetThreadLocale
VirtualQuery
GetDriveTypeW
lstrlenW
lstrcmpiW
SetFilePointerEx
GetUserGeoID
GetGeoInfoW
OutputDebugStringW
GetTimeZoneInformation
WriteConsoleW
SetEnvironmentVariableA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetOEMCP
FlushFileBuffers
ReadFile
WriteFile
GetFileType
DeviceIoControl
GetVersionExW
GetModuleHandleW
GetTickCount
CreateFileMappingW
UnmapViewOfFile
MapViewOfFile
GetTempFileNameW
GetTempPathW
GetModuleFileNameW
GetProcessHeap
HeapFree
HeapAlloc
GetComputerNameW
GetVolumeInformationW
GetSystemDirectoryW
LoadLibraryW
FormatMessageW
GetSystemInfo
Sleep
SetErrorMode
LocalFree
FreeLibrary
Thread32Next
Thread32First
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
TerminateJobObject
AssignProcessToJobObject
CreateJobObjectW
CreateProcessW
GetModuleHandleA
SetLastError
TerminateThread
GetProcessId
GetExitCodeProcess
TerminateProcess
GetCurrentProcessId
GetCurrentProcess
GetFileAttributesA
OpenProcess
GetProcAddress
MoveFileExW
MoveFileW
FindNextFileW
FindFirstFileW
DeleteFileW
GetFileAttributesExW
GetFileAttributesW
SetFileAttributesW
CreateFileW
RemoveDirectoryW
CreateDirectoryW
GetFileTime
FindClose
GetLastError
GetFullPathNameW
GetCurrentDirectoryW
ExpandEnvironmentStringsW
GetLongPathNameW
GetShortPathNameW
WideCharToMultiByte
MultiByteToWideChar
DeleteCriticalSection
TryEnterCriticalSection
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
IsValidCodePage
FindNextFileA
FindFirstFileExA
HeapSize
SetEndOfFile
GetFullPathNameA
SetStdHandle
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetACP
HeapReAlloc
GetConsoleCP
FreeLibraryAndExitThread
ExitThread
SetConsoleCtrlHandler
ExitProcess
RtlUnwind
InterlockedFlushSList
GetLocaleInfoW
LCMapStringW
CompareStringW
GetCPInfo
DecodePointer
EncodePointer
GetStringTypeW
GetStartupInfoW
IsDebuggerPresent
InitializeSListHead
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
WaitForSingleObjectEx
OpenThread
CreateThread
RaiseException
lstrcpyW
lstrcmpA
FlushViewOfFile
DeleteFileA
HeapCompact
UnlockFile
LockFileEx
LocalAlloc
GetVolumePathNameW
GetVolumeNameForVolumeMountPointW
IsBadWritePtr
IsBadReadPtr
VerSetConditionMask
QueryDosDeviceW
CreateEventW
CloseHandle
WaitForMultipleObjects
WaitForSingleObject
ResetEvent
SetEvent
GetDateFormatW
GetTimeFormatW
CompareFileTime
FileTimeToSystemTime
SystemTimeToFileTime
TzSpecificLocalTimeToSystemTime
SystemTimeToTzSpecificLocalTime
GetSystemTime
GetDiskFreeSpaceA
HeapCreate

user32

CharNextW
PostMessageW
FindWindowW
EnumWindows
GetWindowThreadProcessId
GetSystemMetrics
GetProcessWindowStation
GetUserObjectInformationW
MessageBoxW
SendMessageA
FindWindowA

shell32

CommandLineToArgvW
SHGetFolderPathW
ShellExecuteExW
ord51

ole32

CoTaskMemAlloc
CoCreateInstance
CoInitializeSecurity
CoInitializeEx
CoUninitialize
CoTaskMemFree
CoTaskMemRealloc

oleaut32

VariantClear
VariantInit
SysAllocString
SysFreeString
VarUI4FromStr

advapi32

OpenProcessToken
AdjustTokenPrivileges
LookupPrivilegeValueW
CreateProcessAsUserW
DuplicateTokenEx
DeregisterEventSource
RegisterEventSourceW
ReportEventW
RegCloseKey
RegCreateKeyExW
RegDeleteKeyW
RegOpenKeyExW
RegQueryValueExW
GetSecurityInfo
CryptGenRandom
CryptEnumProvidersW
CryptSignHashW
CryptDestroyHash
CryptCreateHash
CryptDecrypt
CryptExportKey
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
CryptDestroyKey
CryptReleaseContext
CryptAcquireContextW
RegQueryInfoKeyW
RegEnumValueW
RegEnumKeyExW
RegDeleteValueW
CopySid
GetLengthSid
CheckTokenMembership
FreeSid
GetTokenInformation
ConvertStringSidToSidW
ConvertSidToStringSidW
SetNamedSecurityInfoW
SetEntriesInAclW
RegSetKeySecurity
RegGetKeySecurity
LookupAccountSidW
SetSecurityDescriptorOwner
SetSecurityDescriptorDacl
IsValidSecurityDescriptor
InitializeSecurityDescriptor
InitializeAcl
AllocateAndInitializeSid
IsValidSid
GetUserNameW
DuplicateToken
StartServiceW
QueryServiceStatusEx
QueryServiceStatus
QueryServiceConfig2W
QueryServiceConfigW
OpenServiceW
OpenSCManagerW
EnumDependentServicesW
DeleteService
CreateServiceW
ControlService
CloseServiceHandle
ChangeServiceConfig2W
ChangeServiceConfigW
RegSetValueExW

shlwapi

PathFileExistsW
PathFindExtensionW
PathFindFileNameW
PathGetDriveNumberW
PathIsDirectoryW
PathIsPrefixW
PathIsRelativeW
PathQuoteSpacesW
PathRemoveArgsW
PathRemoveBackslashW
PathRemoveBlanksW
PathRemoveFileSpecW
PathSearchAndQualifyW
PathUnquoteSpacesW
PathUnExpandEnvStringsW
StrDupW
StrCmpIW
PathAppendW
PathGetArgsW

psapi

GetModuleBaseNameW
GetModuleInformation
GetProcessImageFileNameW
GetModuleFileNameExW

wininet

InternetGetConnectedState

userenv

UnloadUserProfile
LoadUserProfileW
DestroyEnvironmentBlock
CreateEnvironmentBlock
GetProfilesDirectoryW

netapi32

NetUserGetInfo
NetApiBufferFree

crypt32

CryptMsgClose
CryptMsgGetParam
CertCloseStore
CryptDecodeObject
CertFreeCertificateContext
CertNameToStrW
CertGetNameStringW
CryptQueryObject
CertEnumCertificatesInStore
CertDuplicateCertificateContext
CertGetCertificateContextProperty
CertFindCertificateInStore
CertOpenStore

wintrust

CryptCATAdminReleaseCatalogContext
CryptCATAdminAcquireContext
CryptCATAdminReleaseContext
CryptCATCatalogInfoFromContext
CryptCATAdminCalcHashFromFileHandle
CryptCATAdminEnumCatalogFromHash
WinVerifyTrust

mpr

WNetGetConnectionW

wtsapi32

WTSFreeMemory
WTSEnumerateSessionsW
WTSQueryUserToken

ntdll

wcstombs
strpbrk
strtol
strstr
atoi
_stricmp
wcsstr
_strnicmp
strtoul
strspn
strncmp
strrchr
strncpy
qsort
isalnum
NtCreateKey
NtSetValueKey
NtDeleteValueKey
NtDeleteKey
NtOpenKey
strchr
_wtoi64
strcspn
_wcsicmp
memchr
memcmp
NtQueryVirtualMemory
NtUnloadDriver
tolower
isspace
toupper
memset
memcpy
memmove
NtQueryKey
wcsrchr
wcschr
RtlInitUnicodeString
strcmp

wsock32

gethostname
sendto
recvfrom
htonl
select
__WSAFDIsSet
htons
getpeername
socket
setsockopt
listen
connect
closesocket
bind
accept
WSASetLastError
send
recv
WSAGetLastError
WSACleanup
WSAStartup
ntohs
getsockopt
getsockname
inet_ntoa
shutdown

Exports

Exports

AfterReplace
BeforeReplace
InitReplace
Install
StartRTP
StopRTP
StopRunning
Uninstall
UninstallRTP
VerifyLicenseKey

Sections

.text
Size: 3.7MB - Virtual size: 3.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 888KB - Virtual size: 887KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 92KB - Virtual size: 178KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 512B - Virtual size: 452B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 238KB - Virtual size: 238KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

5e22fa1b056632cbc031481c4e9c38b9

Code Sign

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16Certificate

Extended Key Usages

Key Usages

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

62:1d:6d:0c:52:01:9e:3b:90:79:15:20:89:21:1c:0aCertificate

Extended Key Usages

Key Usages

18:39:af:85:74:aa:0e:80:c3:71:d9:80:34:61:dd:7bCertificate

Extended Key Usages

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5aCertificate

Extended Key Usages

Key Usages

b2:56:a7:44:52:7a:ea:13:de:11:d5:df:f4:a2:9b:30:1e:b7:28:b4Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ws2_32

kernel32

user32

shell32

ole32

oleaut32

advapi32

shlwapi

psapi

wininet

userenv

netapi32

crypt32

wintrust

mpr

wtsapi32

ntdll

wsock32

Exports

Exports

Sections

.text Size: 3.7MB - Virtual size: 3.7MB

.rdata Size: 888KB - Virtual size: 887KB

.data Size: 92KB - Virtual size: 178KB

.gfids Size: 512B - Virtual size: 452B

.tls Size: 512B - Virtual size: 9B

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 238KB - Virtual size: 238KB

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

62:1d:6d:0c:52:01:9e:3b:90:79:15:20:89:21:1c:0a
Certificate

18:39:af:85:74:aa:0e:80:c3:71:d9:80:34:61:dd:7b
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

b2:56:a7:44:52:7a:ea:13:de:11:d5:df:f4:a2:9b:30:1e:b7:28:b4
Signer

.text
Size: 3.7MB - Virtual size: 3.7MB

.rdata
Size: 888KB - Virtual size: 887KB

.data
Size: 92KB - Virtual size: 178KB

.gfids
Size: 512B - Virtual size: 452B

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 238KB - Virtual size: 238KB