DigitalSide Threat Intel

freebl3.dll

First submission 2023-02-06 10:39:01 Last sumbission 2024-10-18 08:11:02

File details

File type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
File size: 669.33 KB (685392 bytes)
Compile time: 2022-09-02 18:53:07
MD5: 550686c0ee48c386dfcb40199bd076ac
SHA1: ee5134da4d3efcb466081fb6197be5e12a5b22ab
SHA256: edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa
Import Hash : f781fa19ee3108d3fcdb3967b70bbdf5
Sections 6 .text .rdata .data .00cfg .rsrc .reloc
Directories 6 security relocation debug resource export import

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 0/68 VT report date: 2023-02-06 01:42:21

URLs, FQDN and IP indicators 12

URL Host (FQDN/IP) Date Added
hXXp://91.211.248.209/c3fc6c66bf3bccb0/freebl3.dll VirusTotal Report 91.211.248.209 VirusTotal Report 2024-10-18 08:11:09
hXXp://147.45.41.134/b65e93b2e3fe9102/freebl3.dll VirusTotal Report 147.45.41.134 VirusTotal Report 2024-10-17 08:37:08
hXXp://91.214.78.178/094d58d3b8547ded/freebl3.dll VirusTotal Report 91.214.78.178 VirusTotal Report 2024-10-16 22:58:07
hXXp://147.45.47.86/12182f9d6e8b5491/freebl3.dll VirusTotal Report 147.45.47.86 VirusTotal Report 2024-10-16 22:34:04
hXXp://185.216.71.126/0853a005e18f0946/freebl3.dll VirusTotal Report 185.216.71.126 VirusTotal Report 2024-10-16 22:19:09
hXXp://91.211.248.13/7e94ecaaae676f92/freebl3.dll VirusTotal Report 91.211.248.13 VirusTotal Report 2024-10-16 08:44:06
hXXp://178.63.148.7/09f5d6b1c37d35fd/freebl3.dll VirusTotal Report 178.63.148.7 VirusTotal Report 2024-10-15 12:39:06
hXXp://185.244.219.195/ac45f2162b48380d/freebl3.dll VirusTotal Report 185.244.219.195 VirusTotal Report 2024-10-15 09:09:04
hXXp://178.159.43.166/0028a0f3432ee7b2/freebl3.dll VirusTotal Report 178.159.43.166 VirusTotal Report 2024-10-13 20:30:04
hXXp://95.217.125.57/557b2ce3c387a13c/freebl3.dll VirusTotal Report 95.217.125.57 VirusTotal Report 2024-10-13 16:17:05
hXXp://178.63.215.77/a43eb2d9880da9a6/freebl3.dll VirusTotal Report 178.63.215.77 VirusTotal Report 2024-10-12 18:36:05
hXXp://45.91.200.43/b112953a9d0b6fc2/freebl3.dll VirusTotal Report 45.91.200.43 VirusTotal Report 2024-10-12 02:05:05

PE Sections 2 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x80c95 527872 8436ccc2a34632f47c9e1adcef2f1a1b5f14efde 6e3626d2271b78d42d646159d0b9c9a2
.rdata 0x82000 0x206c4 133120 18215be397cc191726d33368ecc83e04eaa70032 1f2db9bf557bbf2fbc56e1821605126d
.data 0xa3000 0x463c 512 ed675095bb52a589bffc1c259bb4ad128e3c6229 9332b6379db7791ae2cd552085c6ffa6
.00cfg 0xa8000 0x4 512 26ea52ea5f1edc106377e79520659fda08d061af 3e88e89b3dcafaf3699d2c8c2c3c897e
.rsrc 0xa9000 0x378 1024 3076071c06ec24e1982887f5ce55b004984f15c7 d5f4c3c911ff336192b64ebaa9fab7a6
.reloc 0xaa000 0x23f0 9216 e8a592a1c3b9c7b7c578631f20eaad1a293332f9 a93e29d0b0b0b39e1da4084a41dcb105

Packers detected 1

Borland Delphi 3.0 (???)

Anti debug functions 1

Bochs & QEmu CPUID Trick

File signature

MD5 SHA1 Block size Virtual Address
952a7d7423c8a2b375edb162e36f4e27 aa3c0324db5f08bf932b4c064105a532ca3591d0 12112 673280

Strings analysis - File found

Library
KERNEL32.dll
api-ms-win-crt-runtime-l1-1-0.dll
nss3.dll
vcruntime140.dll
api-ms-win-crt-string-l1-1-0.dll
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-time-l1-1-0.dll
ADVAPI32.dll
api-ms-win-crt-utility-l1-1-0.dll
freebl3.dll

Strings analysis - Possible URLs found 22

https://www.digicert.com/CPS0
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
http://ocsp.digicert.com0X
http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
https://mozilla.org0/
http://ocsp.digicert.com0N
http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
http://ocsp.digicert.com0A
http://ocsp.digicert.com0C
http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
http://crl3.digicert.com/sha2-assured-cs-g1.crl05
http://www.digicert.com/CPS0
http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
http://ocsp.digicert.com0
http://crl4.digicert.com/sha2-assured-cs-g1.crl0K

PE Exports 1 suspicious

Function Address
FREEBL_GetVector 0x10058980