libcurl.dll

First submission 2024-10-14 23:26:06

File details

File type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Mime type:	application/x-dosexec
File size:	4268.0 KB (4370432 bytes)
Compile time:	2023-01-04 08:28:44
MD5:	52b8bff530ef8f2d919c9d2c5dea1947
SHA1:	aaf82d893c4f9e803bea7fcfe36d5e0d8f5e1991
SHA256:	34ab069c38f9dba671fa22bce13d8be3c28480ce23e08655a2a21c4072949631
Import Hash :	fb9ce4c7f2e14970adc69c90acfa1bb4
Sections 11	.text .data .rdata .eh_fram .bss .edata .idata .CRT .tls .rsrc .reloc
Directories 5	import export resource tls relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	0/79 VT report date: 2024-08-07 16:45:13

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://coach.028csc.com:81/libcurl.dll	coach.028csc.com	2024-10-14 23:26:06

PE Sections 2 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x2288dc	2263552	222c599309f2192ca32f86e0c970883ad8ee1964	eddea9d992754eea275ed244d73ad5af
.data	0x22a000	0x1988	6656	e92779edb8a90ba3dd6637a65412b32e0194e8c7	7b5731dfb93443911f7dabdec5afd52e
.rdata	0x22c000	0x19fd40	1703424	96fb7f991f554ea3166de9a4087518f806d6d8e0	c950bd893b527509a5910e450a6be837
.eh_fram	0x3cc000	0x4eeac	323584	1004dc347ce0612a606036448952b4be630d47c0	7fbcb8f9d0421c7713397113b921d2ae
.bss	0x41b000	0x2920	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.edata	0x41e000	0x9a3	2560	c3d8b83e9906fb96104122bb1d720de22a854e5c	f82e5a80eaeea431f59142bb4e7e6eef
.idata	0x41f000	0x18ec	6656	fda9a3c88d27fedf6bad04d2d8d4b2ea54c3c01e	c7dab4b85f2863e4960e86a4059ec9c6
.CRT	0x421000	0x30	512	97ebbe75db29e3bd34a0aa9e628fd61ff0d5fc1f	e24db8b50764619d9ddbee95c19faf59
.tls	0x422000	0x8	512	5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5	bf619eac0cdf3f68d496ea9344137e8b
.rsrc	0x423000	0x420	1536	15a33f0b85a06e22a097378f1de8ffeefe121384	5205a3491974d58e70beb2e95520fb3f
.reloc	0x424000	0xeb98	60416	70ec2189ebb39e790c1f805ab4672eaf66736065	0cee5985dc24b8e2ab7dd6a111004880

PE Resources 1

Name	Language	Sublanguage	Offset	Size	Data
RT_VERSION	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x423058	964	PE Resource: RT_VERSION - Data 4VS_VERSION_INFOTT?$StringFileInfo040904b0f#CompanyNameThe curl library, https://curl.se/VFileDescriptionlibcurl Shared Library6FileVersion7.84.0-DEV0InternalNamelibcurl@OriginalFilenamelibcurl.dllBProductNameThe curl library:ProductVersion7.84.0-DEV=LegalCopyrightCopyright (C) 1996 - 2022 Daniel Stenberg, <daniel@haxx.se>.`$Licensehttps://curl.se/docs/copyright.htmlDVarFileInfo$Translation

Name

Language

Sublanguage

Offset

Size

Data

RT_VERSION

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x423058

964

Meta infos 10

LegalCopyright:	Copyright (C) 1996 - 2022 Daniel Stenberg, <daniel@haxx.se>.
InternalName:	libcurl
FileVersion:	7.84.0-DEV
License:	https://curl.se/docs/copyright.html
CompanyName:	The curl library, https://curl.se/
ProductVersion:	7.84.0-DEV
FileDescription:	libcurl Shared Library
Translation:	0x0409 0x04b0
OriginalFilename:	libcurl.dll
ProductName:	The curl library

Anti debug functions 6

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
OutputDebugStringA
RaiseException
TerminateProcess

Anti debug functions 3

VMware trick
VMCheck.dll
Bochs & QEmu CPUID Trick

Strings analysis - File found

Temporary
%s.%s.tmp
Library
MSVCRT.dll
ADVAPI32.dll
libcurl.dll
KERNEL32.dll
libgcc_s_dw2-1.dll
IPHLPAPI.DLL
WLDAP32.dll
WS2_32.dll
Crypt32.dll

Strings analysis - Possible IPs found 6

5.5.7.3
0.1.2.5
1.3.6.1
1.2.0.4
6.7.8.5
127.0.0.1

Strings analysis - Possible URLs found 66

http://www.wencodeURIComponent(
http://www.icon
http://ator
http://www.style=
http://.jpg
http://interpreted
http://whether
http://option
file://%s%s%s
http://html4/loose.dtd
http://www-//W3C//DTD
http://familiar
http://www.C//DTD
http://mathematicsmargin-top:eventually
http://<div
http://www.hortcut
http://www.text-decoration:underthe
http://www.a
http://style=
http://www./div
http://
http://s;text-align:centerfont-weight:
http://www.years
https://<div
http://cript
http://iparticipation
https://curl.se/docs/copyright.html
http://Descriptionrelatively
https://curl.se/docs/hsts.html
http://</a
https://www.World
http://<a
http://imEnglish
http://navigation
https://aIn
http://www</a
file://
http://link
http://interested
http://staticsuggested
http://site_name
http://applicationslink
http://);
http://.css
http://xt/css
https://curl.se/docs/http-cookies.html
http://www.w3.org/shortcut
https://was
http://px;
http://In
http://dictionaryperceptionrevolutionfoundationpx;height:successfulsupportersmillenniumhis
http://i
https://curl.se/
http://An
http://UA-Compatible
http://encoding=
http://www.
http://www.interpretation
http://addEventListenerresponsible
https://curl.se/docs/alt-svc.html
https://www.recent
http://www.language=
http://www.css
http://according
http://w
http://www.<li

Import functions

wldap32.dll 17 CRYPT32.dll 6 KERNEL32.dll 74 msvcrt.dll 94 ADVAPI32.dll 1 WS2_32.dll 35

Function	Address	Souspicious	Anti Debug
ber_free	0x6b85f6fc
ldap_err2string	0x6b85f700
ldap_first_attribute	0x6b85f704
ldap_first_entry	0x6b85f708
ldap_get_dn	0x6b85f70c
ldap_get_values_len	0x6b85f710
ldap_init	0x6b85f714
ldap_memfree	0x6b85f718
ldap_msgfree	0x6b85f71c
ldap_next_attribute	0x6b85f720
ldap_next_entry	0x6b85f724
ldap_search_s	0x6b85f728
ldap_set_option	0x6b85f72c
ldap_simple_bind_s	0x6b85f730
ldap_sslinit	0x6b85f734
ldap_unbind_s	0x6b85f738
ldap_value_free_len	0x6b85f73c

Function	Address	Souspicious	Anti Debug
CertCloseStore	0x6b85f438
CertEnumCertificatesInStore	0x6b85f43c
CertFreeCertificateContext	0x6b85f440
CertGetEnhancedKeyUsage	0x6b85f444
CertGetIntendedKeyUsage	0x6b85f448
CertOpenSystemStoreA	0x6b85f44c

Function	Address	Souspicious	Anti Debug
AcquireSRWLockExclusive	0x6b85f454
AddVectoredExceptionHandler	0x6b85f458
CloseHandle	0x6b85f45c
CompareFileTime	0x6b85f460
CreateEventA	0x6b85f464
CreateSemaphoreA	0x6b85f468
DeleteCriticalSection	0x6b85f46c
DuplicateHandle	0x6b85f470
EnterCriticalSection	0x6b85f474
FormatMessageW	0x6b85f478
FreeLibrary	0x6b85f47c
GetACP	0x6b85f480
GetCurrentProcess	0x6b85f484
GetCurrentProcessId	0x6b85f488
GetCurrentThread	0x6b85f48c
GetCurrentThreadId	0x6b85f490
GetEnvironmentVariableA	0x6b85f494
GetFileType	0x6b85f498
GetHandleInformation	0x6b85f49c
GetLastError	0x6b85f4a0
GetModuleHandleA	0x6b85f4a4
GetModuleHandleW	0x6b85f4a8
GetProcAddress	0x6b85f4ac
GetProcessAffinityMask	0x6b85f4b0
GetStdHandle	0x6b85f4b4
GetSystemDirectoryA	0x6b85f4b8
GetSystemTimeAsFileTime	0x6b85f4bc
GetThreadContext	0x6b85f4c0
GetThreadPriority	0x6b85f4c4
GetTickCount64	0x6b85f4c8
GetTickCount	0x6b85f4cc
InitializeCriticalSection	0x6b85f4d0
InitializeCriticalSectionEx	0x6b85f4d4
IsDBCSLeadByteEx	0x6b85f4d8
IsDebuggerPresent	0x6b85f4dc
IsProcessorFeaturePresent	0x6b85f4e0
LeaveCriticalSection	0x6b85f4e4
LoadLibraryA	0x6b85f4e8
LoadLibraryW	0x6b85f4ec
MoveFileExA	0x6b85f4f0
MultiByteToWideChar	0x6b85f4f4
OpenProcess	0x6b85f4f8
OutputDebugStringA	0x6b85f4fc
PeekNamedPipe	0x6b85f500
QueryPerformanceCounter	0x6b85f504
QueryPerformanceFrequency	0x6b85f508
RaiseException	0x6b85f50c
ReadFile	0x6b85f510
ReleaseSRWLockExclusive	0x6b85f514
ReleaseSemaphore	0x6b85f518
RemoveVectoredExceptionHandler	0x6b85f51c
ResetEvent	0x6b85f520
ResumeThread	0x6b85f524
SetEvent	0x6b85f528
SetLastError	0x6b85f52c
SetProcessAffinityMask	0x6b85f530
SetThreadContext	0x6b85f534
SetThreadPriority	0x6b85f538
Sleep	0x6b85f53c
SleepEx	0x6b85f540
SuspendThread	0x6b85f544
TerminateProcess	0x6b85f548
TlsAlloc	0x6b85f54c
TlsGetValue	0x6b85f550
TlsSetValue	0x6b85f554
TryEnterCriticalSection	0x6b85f558
VerSetConditionMask	0x6b85f55c
VerifyVersionInfoW	0x6b85f560
VirtualProtect	0x6b85f564
VirtualQuery	0x6b85f568
WaitForMultipleObjects	0x6b85f56c
WaitForSingleObject	0x6b85f570
WaitForSingleObjectEx	0x6b85f574
WideCharToMultiByte	0x6b85f578

Function	Address	Souspicious	Anti Debug
__mb_cur_max	0x6b85f580
_access	0x6b85f584
_amsg_exit	0x6b85f588
_assert	0x6b85f58c
_beginthreadex	0x6b85f590
_close	0x6b85f594
_close	0x6b85f598
_endthreadex	0x6b85f59c
_errno	0x6b85f5a0
_fdopen	0x6b85f5a4
_fstati64	0x6b85f5a8
_ftime	0x6b85f5ac
_getpid	0x6b85f5b0
_initterm	0x6b85f5b4
_iob	0x6b85f5b8
_lock	0x6b85f5bc
_lseek	0x6b85f5c0
_lseeki64	0x6b85f5c4
_open	0x6b85f5c8
_read	0x6b85f5cc
_setjmp3	0x6b85f5d0
_stati64	0x6b85f5d4
_stat	0x6b85f5d8
_strdup	0x6b85f5dc
_strtoi64	0x6b85f5e0
_strtoui64	0x6b85f5e4
_sys_errlist	0x6b85f5e8
_sys_nerr	0x6b85f5ec
_strdup	0x6b85f5f0
_ultoa	0x6b85f5f4
_unlink	0x6b85f5f8
_unlock	0x6b85f5fc
_vsnprintf	0x6b85f600
_write	0x6b85f604
_write	0x6b85f608
abort	0x6b85f60c
atoi	0x6b85f610
bsearch	0x6b85f614
calloc	0x6b85f618
exit	0x6b85f61c
fclose	0x6b85f620
feof	0x6b85f624
ferror	0x6b85f628
fflush	0x6b85f62c
fgets	0x6b85f630
fopen	0x6b85f634
fprintf	0x6b85f638
fputc	0x6b85f63c
fputs	0x6b85f640
fread	0x6b85f644
fseek	0x6b85f648
free	0x6b85f64c
ftell	0x6b85f650
fwrite	0x6b85f654
getc	0x6b85f658
getenv	0x6b85f65c
gmtime	0x6b85f660
isspace	0x6b85f664
isxdigit	0x6b85f668
localeconv	0x6b85f66c
longjmp	0x6b85f670
malloc	0x6b85f674
memchr	0x6b85f678
memcmp	0x6b85f67c
memcpy	0x6b85f680
memmove	0x6b85f684
memset	0x6b85f688
printf	0x6b85f68c
qsort	0x6b85f690
realloc	0x6b85f694
setlocale	0x6b85f698
setvbuf	0x6b85f69c
strchr	0x6b85f6a0
strcmp	0x6b85f6a4
strcpy	0x6b85f6a8
strcspn	0x6b85f6ac
strerror	0x6b85f6b0
strftime	0x6b85f6b4
strlen	0x6b85f6b8
strncmp	0x6b85f6bc
strncpy	0x6b85f6c0
strpbrk	0x6b85f6c4
strrchr	0x6b85f6c8
strspn	0x6b85f6cc
strstr	0x6b85f6d0
strtol	0x6b85f6d4
strtoul	0x6b85f6d8
time	0x6b85f6dc
tolower	0x6b85f6e0
vfprintf	0x6b85f6e4
ungetc	0x6b85f6e8
wcslen	0x6b85f6ec
_read	0x6b85f6f0
wcstombs	0x6b85f6f4

Function	Address	Souspicious	Anti Debug
SystemFunction036	0x6b85f430

Function	Address	Souspicious	Anti Debug
WSACleanup	0x6b85f744
WSACloseEvent	0x6b85f748
WSACreateEvent	0x6b85f74c
WSAEnumNetworkEvents	0x6b85f750
WSAEventSelect	0x6b85f754
WSAGetLastError	0x6b85f758
WSAIoctl	0x6b85f75c
WSAResetEvent	0x6b85f760
WSASetEvent	0x6b85f764
WSASetLastError	0x6b85f768
WSAStartup	0x6b85f76c
WSAWaitForMultipleEvents	0x6b85f770
__WSAFDIsSet	0x6b85f774
accept	0x6b85f778
bind	0x6b85f77c
closesocket	0x6b85f780
connect	0x6b85f784
freeaddrinfo	0x6b85f788
getaddrinfo	0x6b85f78c
gethostname	0x6b85f790
getpeername	0x6b85f794
getsockname	0x6b85f798
getsockopt	0x6b85f79c
htonl	0x6b85f7a0
htons	0x6b85f7a4
ioctlsocket	0x6b85f7a8
listen	0x6b85f7ac
ntohs	0x6b85f7b0
recv	0x6b85f7b4
recvfrom	0x6b85f7b8
select	0x6b85f7bc
send	0x6b85f7c0
sendto	0x6b85f7c4
setsockopt	0x6b85f7c8
socket	0x6b85f7cc

PE Exports 89 suspicious

Function	Address
curl_easy_cleanup	0x6b4516c0
curl_easy_duphandle	0x6b451710
curl_easy_escape	0x6b452590
curl_easy_getinfo	0x6b4516e0
curl_easy_header	0x6b45de00
curl_easy_impersonate	0x6b4510d0
curl_easy_init	0x6b4513b0
curl_easy_nextheader	0x6b45e000
curl_easy_option_by_id	0x6b4524c0
curl_easy_option_by_name	0x6b452450
curl_easy_option_next	0x6b452500
curl_easy_pause	0x6b451cd0
curl_easy_perform	0x6b451530
curl_easy_recv	0x6b452200
curl_easy_reset	0x6b451b60
curl_easy_send	0x6b4522f0
curl_easy_setopt	0x6b48c660
curl_easy_strerror	0x6b492c00
curl_easy_unescape	0x6b4528d0
curl_easy_upkeep	0x6b452400
curl_escape	0x6b4526a0
curl_formadd	0x6b453b80
curl_formfree	0x6b4546c0
curl_formget	0x6b4545c0
curl_free	0x6b452960
curl_getdate	0x6b481570
curl_getenv	0x6b45c330
curl_global_cleanup	0x6b451020
curl_global_init	0x6b450e30
curl_global_init_mem	0x6b450ef0
curl_global_sslset	0x6b451080
curl_maprintf	0x6b479500
curl_mfprintf	0x6b4795e0
curl_mime_addpart	0x6b473d70
curl_mime_data	0x6b473ec0
curl_mime_data_cb	0x6b4743c0
curl_mime_encoder	0x6b4742d0
curl_mime_filedata	0x6b474000
curl_mime_filename	0x6b473e60
curl_mime_free	0x6b473ab0
curl_mime_headers	0x6b474360
curl_mime_init	0x6b473c80
curl_mime_name	0x6b473e00
curl_mime_subparts	0x6b4749e0
curl_mime_type	0x6b474270
curl_mprintf	0x6b4795b0
curl_msnprintf	0x6b476440
curl_msprintf	0x6b479590
curl_multi_add_handle	0x6b47ce10
curl_multi_assign	0x6b480550
curl_multi_cleanup	0x6b47d940
curl_multi_fdset	0x6b47c2a0
curl_multi_info_read	0x6b47c5d0
curl_multi_init	0x6b47c1b0
curl_multi_perform	0x6b47fde0
curl_multi_poll	0x6b47c4c0
curl_multi_remove_handle	0x6b47dac0
curl_multi_setopt	0x6b47c780
curl_multi_socket	0x6b480390
curl_multi_socket_action	0x6b4803f0
curl_multi_socket_all	0x6b480000
curl_multi_strerror	0x6b492c20
curl_multi_timeout	0x6b47c930
curl_multi_wait	0x6b47c440
curl_multi_wakeup	0x6b47c540
curl_mvaprintf	0x6b479470
curl_mvfprintf	0x6b479650
curl_mvprintf	0x6b479620
curl_mvsnprintf	0x6b4774a0
curl_mvsprintf	0x6b479600
curl_pushheader_byname	0x6b468ee0
curl_pushheader_bynum	0x6b468e90
curl_share_cleanup	0x6b48c9e0
curl_share_init	0x6b48c7c0
curl_share_setopt	0x6b48c800
curl_share_strerror	0x6b492c40
curl_slist_append	0x6b48cc00
curl_slist_free_all	0x6b48cd30
curl_strequal	0x6b492930
curl_strnequal	0x6b4929a0
curl_unescape	0x6b452870
curl_url	0x6b4a34b0
curl_url_cleanup	0x6b4a34d0
curl_url_dup	0x6b4a3500
curl_url_get	0x6b4a3640
curl_url_set	0x6b4a3ed0
curl_url_strerror	0x6b492c60
curl_version	0x6b4a4b50
curl_version_info	0x6b4a4dc0