temper.dll

First submission 2023-03-16 10:24:10

File details

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
File type:	12691.93 KB (12996536 bytes)
Compile time:	2023-02-25 13:07:43
MD5:	3b3d7619eb68e228800d9c3f5ac23ee3
SHA1:	3007b4cd5ab4d940e2cf9e116134f22deda586ea
SHA256:	ae8bce2c950ea683276425246918a82935cb7214d08190d5996e31876208ab77
Import Hash :	07b23fc5e1b71c8e48ba0022040270f6
Sections 9	VvT"<;zd yr5aGcw\ 9OTQ.L=k 2!C`9z.; [rd,OMMv wu0&fIa< r0?ng8X0 :0Of[v(^ 0CO!k.J>
Directories 5	security relocation resource export import
Virus Total:	5/59 VT report date: 2023-03-16 08:31:18

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://45.15.159.199/temper.dll	45.15.159.199	2023-03-16 10:24:11

PE Sections 7 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
VvT"<;zd	0x1000	0x2daa	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
yr5aGcw\	0x4000	0xa55	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
9OTQ.L=k	0x5000	0x253	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
2!C`9z.;	0x6000	0x1b0	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
[rd,OMMv	0x7000	0x6c88d9	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
wu0&fIa<	0x6d0000	0x880	2560	e0d560947855dccc1d7f8a3a27bb0ac825d7f683	e624dbe4fd563b482d93264b3f790eb3
r0?ng8X0	0x6d1000	0xc4c6c8	12896256	03846fb3689363dad4b6c4548c8542c868122544	12fff098f127d2f9aa384cae39d32698
:0Of[v(^	0x131e000	0xf0	512	d82dc25818b62be4b102d4830f6a48ed0b5d7fc2	6130aa529b8da5bddd4b6a278a5c3c93
0CO!k.J>	0x131f000	0x1631a	91136	dbda349e7b1e0fd083dc76ab40041b9d28b91ede	c42d7d4673aaabab711e04a53fe9a616

PE Resources 4

Name	Language	Sublanguage	Offset	Size	Data
RT_ICON	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x1333d18	1128
RT_GROUP_ICON	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x1334180	188
RT_VERSION	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x1334730	1032	PE Resource: RT_VERSION - Data 4VS_VERSION_INFOGG?hStringFileInfoD040904B0LCompanyNameMicrosoft CorporationHFileDescriptionWin32 Cabinet Self-Extractor j%FileVersion11.00.18362.1 (WinBuild.160101.0800)RInternalNameWextract .LegalCopyright Microsoft Corporation. All rights reserved.bOriginalFilenameWEXTRACT.EXE .MUIDProductNameInternet Explorer@ProductVersion11.00.18362.1DVarFileInfo$Translation
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x1334b38	2018	PE Resource: RT_MANIFEST - Data <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <!-- Copyright (c) Microsoft Corporation --> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="5.1.0.0" processorArchitecture="x86" name="wextract" type="win32"/> <description>IExpress extraction tool</description> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!--This Id value indicates the application supports Windows Vista/Server 2008 functionality --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!--This Id value indicates the application supports Windows 7/Server 2008 R2 functionality--> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!--This Id value indicates the application supports Windows 8/Server 2012 functionality--> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- This Id value indicates the application supports Windows Blue/Server 2012 R2 functionality--> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- This Id value indicates the application supports Windows Threshold functionality--> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> </assembly>

Meta infos 9

FileDescription:	BingWallpaper
LegalCopyright:	\xa9 Microsoft Corporation. All rights reserved.
Translation:	0x0409 0x04b0
InternalName:	Wextract
ProductName:	BingWallpaper
CompanyName:	Microsoft Corporation
FileVersion:	2.0.0.0
OriginalFilename:	WEXTRACT.EXE .MUI
ProductVersion:	2.0.0.0

Anti debug functions 5

GetLastError
IsDebuggerPresent
RaiseException
TerminateProcess
UnhandledExceptionFilter

File signature

MD5	SHA1	Block size	Virtual Address
9c7582100ee096239b213064b18a1b07	08426d96c722e46b1d2a418b8ab0adfae22adf68	5048	12991488

Strings analysis - File found

Database
0\.db
Library
KERNEL32.dll
xPws2_32.dll
secur32.dll
8ole32.dll
pAdvapi32.dll
~user32.dll
socks64.dll

Strings analysis - Possible URLs found 8

http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
https://d.symcb.com/rpa0.
https://d.symcb.com/rpa0@
http://ts-ocsp.ws.symantec.com0;
http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
http://s.symcd.com06
https://d.symcb.com/cps0%
http://s.symcb.com/universal-root.crl0

Import functions

kernel32.dll 127 advapi32.dll 3 user32.dll 2 ws2_32.dll 16 secur32.dll 2 ole32.dll 3

Function	Address	Souspicious	Anti Debug
WriteFile	0x1806d00b8
SetFilePointer	0x1806d00c0
CreateFileA	0x1806d00c8
VirtualFree	0x1806d00d0
LocalFree	0x1806d00d8
LocalAlloc	0x1806d00e0
GetLocalTime	0x1806d00e8
SetEvent	0x1806d00f0
WaitForSingleObject	0x1806d00f8
ExitThread	0x1806d0100
CloseHandle	0x1806d0108
CreateThread	0x1806d0110
GetVolumeInformationA	0x1806d0118
VirtualAlloc	0x1806d0120
SystemTimeToFileTime	0x1806d0128
Sleep	0x1806d0130
GetCurrentProcess	0x1806d0138
FileTimeToSystemTime	0x1806d0140
CreateEventA	0x1806d0148
GetSystemTimeAsFileTime	0x1806d0190
CreateEventA	0x1806d0198
GetModuleHandleA	0x1806d01a0
TerminateProcess	0x1806d01a8
GetCurrentProcess	0x1806d01b0
CreateToolhelp32Snapshot	0x1806d01b8
Thread32First	0x1806d01c0
GetCurrentProcessId	0x1806d01c8
GetCurrentThreadId	0x1806d01d0
OpenThread	0x1806d01d8
Thread32Next	0x1806d01e0
CloseHandle	0x1806d01e8
SuspendThread	0x1806d01f0
ResumeThread	0x1806d01f8
WriteProcessMemory	0x1806d0200
GetSystemInfo	0x1806d0208
VirtualAlloc	0x1806d0210
VirtualProtect	0x1806d0218
VirtualFree	0x1806d0220
GetProcessAffinityMask	0x1806d0228
SetProcessAffinityMask	0x1806d0230
GetCurrentThread	0x1806d0238
SetThreadAffinityMask	0x1806d0240
Sleep	0x1806d0248
LoadLibraryA	0x1806d0250
FreeLibrary	0x1806d0258
GetTickCount	0x1806d0260
SystemTimeToFileTime	0x1806d0268
FileTimeToSystemTime	0x1806d0270
GlobalFree	0x1806d0278
HeapAlloc	0x1806d0280
HeapFree	0x1806d0288
GetProcAddress	0x1806d0290
ExitProcess	0x1806d0298
EnterCriticalSection	0x1806d02a0
LeaveCriticalSection	0x1806d02a8
InitializeCriticalSection	0x1806d02b0
DeleteCriticalSection	0x1806d02b8
MultiByteToWideChar	0x1806d02c0
GetModuleHandleW	0x1806d02c8
LoadResource	0x1806d02d0
FindResourceExW	0x1806d02d8
FindResourceExA	0x1806d02e0
WideCharToMultiByte	0x1806d02e8
GetThreadLocale	0x1806d02f0
GetUserDefaultLCID	0x1806d02f8
GetSystemDefaultLCID	0x1806d0300
EnumResourceNamesA	0x1806d0308
EnumResourceNamesW	0x1806d0310
EnumResourceLanguagesA	0x1806d0318
EnumResourceLanguagesW	0x1806d0320
EnumResourceTypesA	0x1806d0328
EnumResourceTypesW	0x1806d0330
CreateFileW	0x1806d0338
LoadLibraryW	0x1806d0340
GetLastError	0x1806d0348
FlushFileBuffers	0x1806d0350
CreateFileA	0x1806d0358
FlsSetValue	0x1806d0360
GetCommandLineA	0x1806d0368
GetCPInfo	0x1806d0370
GetACP	0x1806d0378
GetOEMCP	0x1806d0380
IsValidCodePage	0x1806d0388
EncodePointer	0x1806d0390
DecodePointer	0x1806d0398
FlsGetValue	0x1806d03a0
FlsFree	0x1806d03a8
SetLastError	0x1806d03b0
FlsAlloc	0x1806d03b8
UnhandledExceptionFilter	0x1806d03c0
SetUnhandledExceptionFilter	0x1806d03c8
IsDebuggerPresent	0x1806d03d0
RtlVirtualUnwind	0x1806d03d8
RtlLookupFunctionEntry	0x1806d03e0
RtlCaptureContext	0x1806d03e8
RaiseException	0x1806d03f0
RtlPcToFileHeader	0x1806d03f8
RtlUnwindEx	0x1806d0400
LCMapStringA	0x1806d0408
LCMapStringW	0x1806d0410
SetHandleCount	0x1806d0418
GetStdHandle	0x1806d0420
GetFileType	0x1806d0428
GetStartupInfoA	0x1806d0430
GetModuleFileNameA	0x1806d0438
FreeEnvironmentStringsA	0x1806d0440
GetEnvironmentStrings	0x1806d0448
FreeEnvironmentStringsW	0x1806d0450
GetEnvironmentStringsW	0x1806d0458
HeapSetInformation	0x1806d0460
HeapCreate	0x1806d0468
HeapDestroy	0x1806d0470
QueryPerformanceCounter	0x1806d0478
GetStringTypeA	0x1806d0480
GetStringTypeW	0x1806d0488
GetLocaleInfoA	0x1806d0490
HeapSize	0x1806d0498
WriteFile	0x1806d04a0
SetFilePointer	0x1806d04a8
GetConsoleCP	0x1806d04b0
GetConsoleMode	0x1806d04b8
HeapReAlloc	0x1806d04c0
InitializeCriticalSectionAndSpinCount	0x1806d04c8
SetStdHandle	0x1806d04d0
WriteConsoleA	0x1806d04d8
GetConsoleOutputCP	0x1806d04e0
WriteConsoleW	0x1806d04e8

Function	Address	Souspicious	Anti Debug
GetTokenInformation	0x1806d0098
OpenProcessToken	0x1806d00a0
GetSidSubAuthority	0x1806d00a8

Function	Address	Souspicious	Anti Debug
wsprintfA	0x1806d0000
CharUpperBuffW	0x1806d04f8

Function	Address	Souspicious	Anti Debug
getaddrinfo	0x1806d0010
closesocket	0x1806d0018
shutdown	0x1806d0020
send	0x1806d0028
setsockopt	0x1806d0030
freeaddrinfo	0x1806d0038
recv	0x1806d0040
WSAIoctl	0x1806d0048
select	0x1806d0050
connect	0x1806d0058
inet_ntoa	0x1806d0060
inet_addr	0x1806d0068
htons	0x1806d0070
ioctlsocket	0x1806d0078
WSAStartup	0x1806d0080
socket	0x1806d0088

Function	Address	Souspicious	Anti Debug
GetUserNameExA	0x1806d0158
GetUserNameExW	0x1806d0160

Function	Address	Souspicious	Anti Debug
CoUninitialize	0x1806d0170
CoCreateInstance	0x1806d0178
CoInitialize	0x1806d0180

PE Exports 1 suspicious

Function	Address
rundll	0x180001020