freebl3.dll

First submission 2023-06-27 13:00:02 Last sumbission 2024-04-17 09:46:02

File details

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Mime type:	application/x-dosexec
File size:	669.33 KB (685392 bytes)
Compile time:	2022-09-02 18:53:07
MD5:	550686c0ee48c386dfcb40199bd076ac
SHA1:	ee5134da4d3efcb466081fb6197be5e12a5b22ab
SHA256:	edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa
Import Hash :	f781fa19ee3108d3fcdb3967b70bbdf5
Sections 6	.text .rdata .data .00cfg .rsrc .reloc
Directories 6	import export resource debug relocation security
Virus Total:	0/70 VT report date: 2023-06-26 23:41:09

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 2

URL	Host (FQDN/IP)	Date Added
hXXp://185.172.128.23/8e6d9db21fb63946/freebl3.dll	185.172.128.23	2024-04-17 09:46:04
hXXp://192.121.87.173/a95bc524d4f5c43a/freebl3.dll	192.121.87.173	2024-04-14 08:47:03

PE Sections 2 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x80c95	527872	8436ccc2a34632f47c9e1adcef2f1a1b5f14efde	6e3626d2271b78d42d646159d0b9c9a2
.rdata	0x82000	0x206c4	133120	18215be397cc191726d33368ecc83e04eaa70032	1f2db9bf557bbf2fbc56e1821605126d
.data	0xa3000	0x463c	512	ed675095bb52a589bffc1c259bb4ad128e3c6229	9332b6379db7791ae2cd552085c6ffa6
.00cfg	0xa8000	0x4	512	26ea52ea5f1edc106377e79520659fda08d061af	3e88e89b3dcafaf3699d2c8c2c3c897e
.rsrc	0xa9000	0x378	1024	3076071c06ec24e1982887f5ce55b004984f15c7	d5f4c3c911ff336192b64ebaa9fab7a6
.reloc	0xaa000	0x23f0	9216	e8a592a1c3b9c7b7c578631f20eaad1a293332f9	a93e29d0b0b0b39e1da4084a41dcb105

PE Resources 1

Name	Language	Sublanguage	Offset	Size	Data
RT_VERSION	LANG_ENGLISH	SUBLANG_ENGLISH_US	0xa9060	792	PE Resource: RT_VERSION - Data 4VS_VERSION_INFOhX hX ?vStringFileInfoR000004b0CommentsBLegalCopyrightLicense: MPL 2FCompanyNameMozilla Foundation*FileDescription0FileVersion104.0.24ProductVersion104.0.2"InternalName8LegalTrademarksMozilla@OriginalFilenamefreebl3.dll0ProductNameFirefox6BuildID20220902153754DVarFileInfo$Translation

Name

Language

Sublanguage

Offset

Size

Data

RT_VERSION

LANG_ENGLISH

SUBLANG_ENGLISH_US

0xa9060

792

Meta infos 12

LegalCopyright:	License: MPL 2
InternalName:
FileVersion:	104.0.2
CompanyName:	Mozilla Foundation
BuildID:	20220902153754
LegalTrademarks:	Mozilla
Comments:
ProductName:	Firefox
ProductVersion:	104.0.2
FileDescription:
Translation:	0x0000 0x04b0
OriginalFilename:	freebl3.dll

Packers detected 1

Borland Delphi 3.0 (???)

Anti debug functions 4

IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
UnhandledExceptionFilter

Anti debug functions 1

Bochs & QEmu CPUID Trick

File signature

MD5	SHA1	Block size	Virtual Address
952a7d7423c8a2b375edb162e36f4e27	aa3c0324db5f08bf932b4c064105a532ca3591d0	12112	673280

Strings analysis - File found

Library
freebl3.dll
api-ms-win-crt-utility-l1-1-0.dll
ADVAPI32.dll
api-ms-win-crt-time-l1-1-0.dll
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-string-l1-1-0.dll
vcruntime140.dll
nss3.dll
api-ms-win-crt-runtime-l1-1-0.dll
KERNEL32.dll

Strings analysis - Possible URLs found 22

http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
http://ocsp.digicert.com0
http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
http://www.digicert.com/CPS0
http://crl3.digicert.com/sha2-assured-cs-g1.crl05
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
http://ocsp.digicert.com0C
http://ocsp.digicert.com0A
http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
http://ocsp.digicert.com0N
https://mozilla.org0/
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
http://ocsp.digicert.com0X
http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
https://www.digicert.com/CPS0

Import functions

api-ms-win-crt-time-l1-1-0.dll 1 api-ms-win-crt-runtime-l1-1-0.dll 9 api-ms-win-crt-heap-l1-1-0.dll 3 api-ms-win-crt-string-l1-1-0.dll 2 nss3.dll 30 KERNEL32.dll 18 api-ms-win-crt-utility-l1-1-0.dll 1 VCRUNTIME140.dll 6 ADVAPI32.dll 1

Function	Address	Souspicious	Anti Debug
_time64	0x100a1fcc

Function	Address	Souspicious	Anti Debug
_cexit	0x100a1f98
_configure_narrow_argv	0x100a1f9c
_execute_onexit_table	0x100a1fa0
_initialize_narrow_environment	0x100a1fa4
_initialize_onexit_table	0x100a1fa8
_initterm	0x100a1fac
_initterm_e	0x100a1fb0
_seh_filter_dll	0x100a1fb4
abort	0x100a1fb8

Function	Address	Souspicious	Anti Debug
calloc	0x100a1fd4
free	0x100a1fd8
malloc	0x100a1fdc

Function	Address	Souspicious	Anti Debug
_strdup	0x100a1fc0
strlen	0x100a1fc4

Function	Address	Souspicious	Anti Debug
NSS_SecureMemcmp	0x100a1ea4
NSS_SecureMemcmpZero	0x100a1ea8
PORT_Alloc_Util	0x100a1eac
PORT_ArenaAlloc_Util	0x100a1eb0
PORT_ArenaZAlloc_Util	0x100a1eb4
PORT_FreeArena_Util	0x100a1eb8
PORT_Free_Util	0x100a1ebc
PORT_GetError_Util	0x100a1ec0
PORT_NewArena_Util	0x100a1ec4
PORT_SetError_Util	0x100a1ec8
PORT_ZAllocAlignedOffset_Util	0x100a1ecc
PORT_ZAlloc_Util	0x100a1ed0
PORT_ZFree_Util	0x100a1ed4
PR_CallOnce	0x100a1ed8
PR_DestroyCondVar	0x100a1edc
PR_DestroyLock	0x100a1ee0
PR_GetEnvSecure	0x100a1ee4
PR_Lock	0x100a1ee8
PR_NewCondVar	0x100a1eec
PR_NewLock	0x100a1ef0
PR_NotifyAllCondVar	0x100a1ef4
PR_NotifyCondVar	0x100a1ef8
PR_Unlock	0x100a1efc
PR_WaitCondVar	0x100a1f00
SECITEM_AllocItem_Util	0x100a1f04
SECITEM_CompareItem_Util	0x100a1f08
SECITEM_CopyItem_Util	0x100a1f0c
SECITEM_FreeItem_Util	0x100a1f10
SECITEM_ZfreeItem_Util	0x100a1f14
SECOID_FindOIDTag_Util	0x100a1f18

Function	Address	Souspicious	Anti Debug
DisableThreadLibraryCalls	0x100a1f28
GetComputerNameA	0x100a1f2c
GetCurrentProcess	0x100a1f30
GetCurrentProcessId	0x100a1f34
GetCurrentThreadId	0x100a1f38
GetDiskFreeSpaceA	0x100a1f3c
GetLogicalDrives	0x100a1f40
GetSystemTimeAsFileTime	0x100a1f44
GetTickCount	0x100a1f48
GetVolumeInformationA	0x100a1f4c
GlobalMemoryStatus	0x100a1f50
InitializeSListHead	0x100a1f54
IsDebuggerPresent	0x100a1f58
IsProcessorFeaturePresent	0x100a1f5c
QueryPerformanceCounter	0x100a1f60
SetUnhandledExceptionFilter	0x100a1f64
TerminateProcess	0x100a1f68
UnhandledExceptionFilter	0x100a1f6c

Function	Address	Souspicious	Anti Debug
_byteswap_ulong	0x100a1f90

Function	Address	Souspicious	Anti Debug
__std_type_info_destroy_list	0x100a1f74
_except_handler4_common	0x100a1f78
memcmp	0x100a1f7c
memcpy	0x100a1f80
memmove	0x100a1f84
memset	0x100a1f88

Function	Address	Souspicious	Anti Debug
SystemFunction036	0x100a1f20

PE Exports 1 suspicious

Function	Address
FREEBL_GetVector	0x10058980