DigitalSide Threat Intel

freebl3.dll

First submission 2023-06-25 09:19:02 Last sumbission 2023-09-30 18:31:01

File details

File type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Mime type: application/x-dosexec
File size: 668.93 KB (684984 bytes)
Compile time: 2022-03-22 16:58:30
MD5: 15b61e4a910c172b25fb7d8ccb92f754
SHA1: 5d9e319c7d47eb6d31aaed27707fe27a1665031c
SHA256: b2ae93d30c8beb0b26f03d4a8325ac89b92a299e8f853e5caa51bb32575b06c6
Import Hash : 3d2071c523682b80f8e0be60537dab9e
Sections 6 .text .rdata .data .00cfg .rsrc .reloc
Directories 6 import export resource debug relocation security
Virus Total: 0/62 VT report date: 2023-06-24 22:01:26

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 2

URL Host (FQDN/IP) Date Added
hXXp://128.140.101.125/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll VirusTotal Report 128.140.101.125 VirusTotal Report 2023-09-30 18:31:03
hXXp://65.109.2.42/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll VirusTotal Report 65.109.2.42 VirusTotal Report 2023-09-25 17:44:03

PE Sections 2 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x819d5 530944 c13b3b59a200c3055585358709ae54997637ed48 d3bdd05cbeee202694f4f920dd1da10b
.rdata 0x83000 0x206c4 133120 cc571f4be32858b6c1bc69f2b57c34861de4a32b 749fedbccc995d97ac2fa549ad57543e
.data 0xa4000 0x463c 512 ed675095bb52a589bffc1c259bb4ad128e3c6229 9332b6379db7791ae2cd552085c6ffa6
.00cfg 0xa9000 0x4 512 f9264f667129238cc34e2daa53c3f643d448839a 4c6d643550a6964a15a2dcd03bb3a3e4
.rsrc 0xaa000 0x378 1024 00b79f2d30cb2af3b1bc418762bdce17bd8706f7 432f86dd46b23298f58fc98df860a905
.reloc 0xab000 0x2438 9728 badc8b93169edcd18d0362bc9445d53d3c4e4b20 f0ae52b069ba901b8a0d9b377f564da4

PE Resources 1

Name Language Sublanguage Offset Size Data
RT_VERSION LANG_ENGLISH SUBLANG_ENGLISH_US 0xaa060 792

Meta infos 12

LegalCopyright: License: MPL 2
InternalName:
FileVersion: 98.0.2
CompanyName: Mozilla Foundation
BuildID: 20220322144853
LegalTrademarks: Mozilla
Comments:
ProductName: Firefox
ProductVersion: 98.0.2
FileDescription:
Translation: 0x0000 0x04b0
OriginalFilename: freebl3.dll

Packers detected 1

Borland Delphi 3.0 (???)

Anti debug functions 4

IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
UnhandledExceptionFilter

Anti debug functions 1

Bochs & QEmu CPUID Trick

File signature

MD5 SHA1 Block size Virtual Address
bc1ac59a8ee06f8ff5e151c07ebfe5d4 a790a67d5e8aba0f808bf137a4fc8024da7b091c 8120 676864

Strings analysis - File found

Library
freebl3.dll
api-ms-win-crt-utility-l1-1-0.dll
ADVAPI32.dll
api-ms-win-crt-time-l1-1-0.dll
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-string-l1-1-0.dll
vcruntime140.dll
nss3.dll
api-ms-win-crt-runtime-l1-1-0.dll
KERNEL32.dll

Strings analysis - Possible URLs found 16

http://crl4.digicert.com/sha2-assured-ts.crl0
http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
http://ocsp.digicert.com0C
http://ocsp.digicert.com0O
https://mozilla.org0
http://www.digicert.com/CPS0
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
http://crl3.digicert.com/sha2-assured-cs-g1.crl05
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
http://ocsp.digicert.com0N
http://crl3.digicert.com/sha2-assured-ts.crl02
http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
https://www.digicert.com/CPS0

Import functions

Function Address Souspicious Anti Debug
_time64 0x100a2fc0
Function Address Souspicious Anti Debug
_cexit 0x100a2f8c
_configure_narrow_argv 0x100a2f90
_execute_onexit_table 0x100a2f94
_initialize_narrow_environment 0x100a2f98
_initialize_onexit_table 0x100a2f9c
_initterm 0x100a2fa0
_initterm_e 0x100a2fa4
_seh_filter_dll 0x100a2fa8
abort 0x100a2fac
Function Address Souspicious Anti Debug
calloc 0x100a2fc8
free 0x100a2fcc
malloc 0x100a2fd0
Function Address Souspicious Anti Debug
_strdup 0x100a2fb4
strlen 0x100a2fb8
Function Address Souspicious Anti Debug
NSS_SecureMemcmp 0x100a2e94
NSS_SecureMemcmpZero 0x100a2e98
PORT_Alloc_Util 0x100a2e9c
PORT_ArenaAlloc_Util 0x100a2ea0
PORT_ArenaZAlloc_Util 0x100a2ea4
PORT_FreeArena_Util 0x100a2ea8
PORT_Free_Util 0x100a2eac
PORT_GetError_Util 0x100a2eb0
PORT_NewArena_Util 0x100a2eb4
PORT_SetError_Util 0x100a2eb8
PORT_ZAllocAlignedOffset_Util 0x100a2ebc
PORT_ZAlloc_Util 0x100a2ec0
PORT_ZFree_Util 0x100a2ec4
PR_CallOnce 0x100a2ec8
PR_DestroyCondVar 0x100a2ecc
PR_DestroyLock 0x100a2ed0
PR_GetEnvSecure 0x100a2ed4
PR_Lock 0x100a2ed8
PR_NewCondVar 0x100a2edc
PR_NewLock 0x100a2ee0
PR_NotifyAllCondVar 0x100a2ee4
PR_NotifyCondVar 0x100a2ee8
PR_Unlock 0x100a2eec
PR_WaitCondVar 0x100a2ef0
SECITEM_AllocItem_Util 0x100a2ef4
SECITEM_CompareItem_Util 0x100a2ef8
SECITEM_CopyItem_Util 0x100a2efc
SECITEM_FreeItem_Util 0x100a2f00
SECITEM_ZfreeItem_Util 0x100a2f04
SECOID_FindOIDTag_Util 0x100a2f08
Function Address Souspicious Anti Debug
DisableThreadLibraryCalls 0x100a2f18
GetComputerNameA 0x100a2f1c
GetCurrentProcess 0x100a2f20
GetCurrentProcessId 0x100a2f24
GetCurrentThreadId 0x100a2f28
GetDiskFreeSpaceA 0x100a2f2c
GetLogicalDrives 0x100a2f30
GetSystemTimeAsFileTime 0x100a2f34
GetTickCount 0x100a2f38
GetVolumeInformationA 0x100a2f3c
GlobalMemoryStatus 0x100a2f40
InitializeSListHead 0x100a2f44
IsDebuggerPresent 0x100a2f48
IsProcessorFeaturePresent 0x100a2f4c
QueryPerformanceCounter 0x100a2f50
SetUnhandledExceptionFilter 0x100a2f54
TerminateProcess 0x100a2f58
UnhandledExceptionFilter 0x100a2f5c
Function Address Souspicious Anti Debug
_byteswap_ulong 0x100a2f80
rand 0x100a2f84
Function Address Souspicious Anti Debug
__std_type_info_destroy_list 0x100a2f64
_except_handler4_common 0x100a2f68
memcmp 0x100a2f6c
memcpy 0x100a2f70
memmove 0x100a2f74
memset 0x100a2f78
Function Address Souspicious Anti Debug
SystemFunction036 0x100a2f10

PE Exports 1 suspicious

Function Address
FREEBL_GetVector 0x10059270