DigitalSide Threat Intel

softokn3.dll

First submission 2023-06-27 13:01:02 Last sumbission 2023-09-30 19:20:02

File details

File type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Mime type: application/x-dosexec
File size: 251.83 KB (257872 bytes)
Compile time: 2022-09-02 18:53:07
MD5: 4e52d739c324db8225bd9ab2695f262f
SHA1: 71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256: 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
Import Hash : 32ef7516974ac0c43943c0635266c6fd
Sections 6 .text .rdata .data .00cfg .rsrc .reloc
Directories 6 import export resource debug relocation security
Virus Total: 0/70 VT report date: 2023-06-24 22:31:23

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 6

URL Host (FQDN/IP) Date Added
hXXp://217.196.96.138/063ec44b1db69f0e/softokn3.dll VirusTotal Report 217.196.96.138 VirusTotal Report 2023-09-30 19:20:03
hXXp://45.140.147.83/0d79b00b81d1cdb5/softokn3.dll VirusTotal Report 45.140.147.83 VirusTotal Report 2023-09-30 19:19:03
hXXp://208.91.189.189/05b85f6a6b0e9444/softokn3.dll VirusTotal Report 208.91.189.189 VirusTotal Report 2023-09-28 18:54:05
hXXp://193.201.8.110/c67be317e1e6e8d4/softokn3.dll VirusTotal Report 193.201.8.110 VirusTotal Report 2023-09-28 18:46:03
hXXp://91.103.253.2/bdc46bd1e5d3e260/softokn3.dll VirusTotal Report 91.103.253.2 VirusTotal Report 2023-09-26 07:03:03
hXXp://185.161.251.81/a4cf60df505c17ab/softokn3.dll VirusTotal Report 185.161.251.81 VirusTotal Report 2023-09-24 16:22:03

PE Sections 1 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x2cb26 183296 2563cae8f6ad3f00fefe8709bf061dde5e35b398 cf77805859da8b1eb38c9e516d626df2
.rdata 0x2e000 0xabd4 44032 08db63c25e87713b8bb0c11243d643dd02b95a2d f6c6d56ba05bf3a969fcb268a9414d52
.data 0x39000 0xb98 2048 25d9134492ea59c34a511bf61d6015437c1707c0 2eb7215637c07a785f3ce6637a38512a
.00cfg 0x3a000 0x4 512 9143293090898ce0f6f65ad11ed9b4dfba79143e 611b8bebadf9127cbc32c240e50e912b
.rsrc 0x3b000 0x380 1024 6bd94126c0049f56629e98865f7229922c737a4f 298e8022aff6d987ef704d938c8c749f
.reloc 0x3c000 0x35c8 13824 33dd7b681c589faa00de30bada40e2b0f33bd94c 2086b88b13f50734eedbe1ff42e1a2ba

PE Resources 1

Name Language Sublanguage Offset Size Data
RT_VERSION LANG_ENGLISH SUBLANG_ENGLISH_US 0x3b060 796

Meta infos 12

LegalCopyright: License: MPL 2
InternalName:
FileVersion: 104.0.2
CompanyName: Mozilla Foundation
BuildID: 20220902153754
LegalTrademarks: Mozilla
Comments:
ProductName: Firefox
ProductVersion: 104.0.2
FileDescription:
Translation: 0x0000 0x04b0
OriginalFilename: softokn3.dll

Packers detected 1

Borland Delphi 3.0 (???)

Anti debug functions 4

IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
UnhandledExceptionFilter

File signature

MD5 SHA1 Block size Virtual Address
a6fcdf133ec4df52523d6b678a8729b3 a2de4a7649b2f9bbb78a432a26b3083f595440fc 12112 245760

Strings analysis - File found

Database
%s%c%s%s%d.db
_dOeSnotExist_.db
Library
softokn3.dll
api-ms-win-crt-utility-l1-1-0.dll
freebl3.dll
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
nss3.dll
api-ms-win-crt-string-l1-1-0.dll
vcruntime140.dll
api-ms-win-crt-filesystem-l1-1-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-convert-l1-1-0.dll
api-ms-win-crt-environment-l1-1-0.dll
KERNEL32.dll

Strings analysis - Possible URLs found 22

http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
http://ocsp.digicert.com0
http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
http://www.digicert.com/CPS0
http://crl3.digicert.com/sha2-assured-cs-g1.crl05
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
http://ocsp.digicert.com0C
http://ocsp.digicert.com0A
http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
http://ocsp.digicert.com0N
https://mozilla.org0/
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
http://ocsp.digicert.com0X
http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
https://www.digicert.com/CPS0

Import functions

Function Address Souspicious Anti Debug
_wchmod 0x10037d54
Function Address Souspicious Anti Debug
_cexit 0x10037d28
_configure_narrow_argv 0x10037d2c
_execute_onexit_table 0x10037d30
_initialize_narrow_environment 0x10037d34
_initialize_onexit_table 0x10037d38
_initterm 0x10037d3c
_initterm_e 0x10037d40
_seh_filter_dll 0x10037d44
Function Address Souspicious Anti Debug
free 0x10037d68
malloc 0x10037d6c
realloc 0x10037d70
Function Address Souspicious Anti Debug
atoi 0x10037d5c
strtoul 0x10037d60
Function Address Souspicious Anti Debug
islower 0x10037d80
isupper 0x10037d84
strcmp 0x10037d88
strcpy 0x10037d8c
strlen 0x10037d90
Function Address Souspicious Anti Debug
getenv 0x10037d78
Function Address Souspicious Anti Debug
DER_Encode_Util 0x10037b14
DER_GetInteger_Util 0x10037b18
DER_SetUInteger 0x10037b1c
NSSUTIL_ArgDecodeNumber 0x10037b20
NSSUTIL_ArgFetchValue 0x10037b24
NSSUTIL_ArgGetLabel 0x10037b28
NSSUTIL_ArgHasFlag 0x10037b2c
NSSUTIL_ArgIsBlank 0x10037b30
NSSUTIL_ArgSkipParameter 0x10037b34
NSSUTIL_ArgStrip 0x10037b38
NSSUTIL_DoModuleDBFunction 0x10037b3c
NSS_Get_SECOID_AlgorithmIDTemplate_Util 0x10037b40
NSS_Get_SEC_AnyTemplate_Util 0x10037b44
NSS_Get_SEC_BitStringTemplate_Util 0x10037b48
NSS_Get_SEC_ObjectIDTemplate_Util 0x10037b4c
NSS_Get_SEC_OctetStringTemplate_Util 0x10037b50
NSS_SecureMemcmp 0x10037b54
PL_CompareValues 0x10037b58
PL_HashTableAdd 0x10037b5c
PL_HashTableDestroy 0x10037b60
PL_HashTableEnumerateEntries 0x10037b64
PL_HashTableLookup 0x10037b68
PL_HashTableLookupConst 0x10037b6c
PL_HashTableRemove 0x10037b70
PL_NewHashTable 0x10037b74
PL_strcasecmp 0x10037b78
PL_strncasecmp 0x10037b7c
PORT_Alloc_Util 0x10037b80
PORT_ArenaAlloc_Util 0x10037b84
PORT_ArenaGrow_Util 0x10037b88
PORT_ArenaZAlloc_Util 0x10037b8c
PORT_FreeArena_Util 0x10037b90
PORT_Free_Util 0x10037b94
PORT_GetError_Util 0x10037b98
PORT_NewArena_Util 0x10037b9c
PORT_Realloc_Util 0x10037ba0
PORT_SetError_Util 0x10037ba4
PORT_Strdup_Util 0x10037ba8
PORT_ZAlloc_Util 0x10037bac
PORT_ZFree_Util 0x10037bb0
PR_Access 0x10037bb4
PR_CallOnce 0x10037bb8
PR_DestroyLock 0x10037bbc
PR_DestroyMonitor 0x10037bc0
PR_EnterMonitor 0x10037bc4
PR_ExitMonitor 0x10037bc8
PR_FindFunctionSymbol 0x10037bcc
PR_Free 0x10037bd0
PR_GetCurrentThread 0x10037bd4
PR_GetDirectorySeparator 0x10037bd8
PR_GetEnv 0x10037bdc
PR_GetEnvSecure 0x10037be0
PR_GetLibraryFilePathname 0x10037be4
PR_IntervalNow 0x10037be8
PR_LoadLibraryWithFlags 0x10037bec
PR_Lock 0x10037bf0
PR_MillisecondsToInterval 0x10037bf4
PR_NewLock 0x10037bf8
PR_NewMonitor 0x10037bfc
PR_Now 0x10037c00
PR_SecondsToInterval 0x10037c04
PR_Sleep 0x10037c08
PR_UnloadLibrary 0x10037c0c
PR_Unlock 0x10037c10
PR_smprintf 0x10037c14
PR_smprintf_free 0x10037c18
PR_snprintf 0x10037c1c
SECITEM_AllocItem_Util 0x10037c20
SECITEM_CompareItem_Util 0x10037c24
SECITEM_CopyItem_Util 0x10037c28
SECITEM_DupItem_Util 0x10037c2c
SECITEM_FreeItem_Util 0x10037c30
SECITEM_HashCompare 0x10037c34
SECITEM_ItemsAreEqual_Util 0x10037c38
SECITEM_ZfreeItem_Util 0x10037c3c
SECOID_CopyAlgorithmID_Util 0x10037c40
SECOID_DestroyAlgorithmID_Util 0x10037c44
SECOID_FindOIDByMechanism 0x10037c48
SECOID_GetAlgorithmTag_Util 0x10037c4c
SECOID_Init 0x10037c50
SECOID_SetAlgorithmID_Util 0x10037c54
SECOID_Shutdown 0x10037c58
SEC_ASN1DecodeItem_Util 0x10037c5c
SEC_ASN1EncodeInteger_Util 0x10037c60
SEC_ASN1EncodeItem_Util 0x10037c64
SEC_QuickDERDecodeItem_Util 0x10037c68
SGN_CreateDigestInfo_Util 0x10037c6c
SGN_DestroyDigestInfo_Util 0x10037c70
UTIL_SetForkState 0x10037c74
_NSSUTIL_Access 0x10037c78
_NSSUTIL_EvaluateConfigDir 0x10037c7c
_NSSUTIL_UTF8ToWide 0x10037c80
_SGN_VerifyPKCS1DigestInfo 0x10037c84
sqlite3_bind_blob 0x10037c88
sqlite3_bind_int 0x10037c8c
sqlite3_bind_text 0x10037c90
sqlite3_busy_timeout 0x10037c94
sqlite3_close 0x10037c98
sqlite3_column_blob 0x10037c9c
sqlite3_column_bytes 0x10037ca0
sqlite3_column_int 0x10037ca4
sqlite3_column_text 0x10037ca8
sqlite3_exec 0x10037cac
sqlite3_file_control 0x10037cb0
sqlite3_finalize 0x10037cb4
sqlite3_free 0x10037cb8
sqlite3_mprintf 0x10037cbc
sqlite3_open_v2 0x10037cc0
sqlite3_prepare_v2 0x10037cc4
sqlite3_reset 0x10037cc8
sqlite3_step 0x10037ccc
Function Address Souspicious Anti Debug
DisableThreadLibraryCalls 0x10037cd4
GetCurrentProcess 0x10037cd8
GetCurrentProcessId 0x10037cdc
GetCurrentThreadId 0x10037ce0
GetSystemTimeAsFileTime 0x10037ce4
GetTempPathA 0x10037ce8
InitializeSListHead 0x10037cec
IsDebuggerPresent 0x10037cf0
IsProcessorFeaturePresent 0x10037cf4
QueryPerformanceCounter 0x10037cf8
SetUnhandledExceptionFilter 0x10037cfc
TerminateProcess 0x10037d00
UnhandledExceptionFilter 0x10037d04
Function Address Souspicious Anti Debug
qsort 0x10037d98
Function Address Souspicious Anti Debug
__std_type_info_destroy_list 0x10037d0c
_except_handler4_common 0x10037d10
memcmp 0x10037d14
memcpy 0x10037d18
memset 0x10037d1c
strrchr 0x10037d20
Function Address Souspicious Anti Debug
__stdio_common_vsprintf 0x10037d4c

PE Exports 10 suspicious

Function Address
C_GetFunctionList 0x1000cd10
C_GetInterface 0x1000ceb0
C_GetInterfaceList 0x1000cd20
FC_GetFunctionList 0x10003f00
FC_GetInterface 0x10003f60
FC_GetInterfaceList 0x10003f10
NSC_GetFunctionList 0x1000cd10
NSC_GetInterface 0x1000cd70
NSC_GetInterfaceList 0x1000cd20
NSC_ModuleDBFunc 0x1000a3f0

Related files by ImpHash 1 32ef7516974ac0c43943c0635266c6fd

Name Latest seen MD5
softokn3.dll 2023-09-25 17:47:02 63a1fe06be877497c4c2017ca0303537