c.dll

First submission 2022-08-03 10:15:02

File details

File type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
File type: 109.4 KB (112024 bytes)
Compile time: 2022-07-26 20:07:31
MD5: 5f4bddeac9efdb3d9b90f10146bc76ab
SHA1: 21ba975e62fb149d02f0c085de1bf9e1e7d1a4f9
SHA256: 7a542cc9772e7433293f2633d019a9f4459ac516a06d5512ba886aeca6c6fa86
Import Hash : 38ba784a5f106834fa8e32a8d565f87b
Sections 6 .text .rdata .data .pdata .rsrc .reloc
Directories 5 import export resource relocation security
Virus Total: 28/70 VT report date: 2022-08-02 03:06:58

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://146.70.24.168/ln/c.dll VirusTotal Report 146.70.24.168 VirusTotal Report 2022-08-03 10:15:02

PE Sections 0 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x509a 20992 b31202889d9cbac0ed337924dd187939465aef11 d38d213972733b63d222f1ac23b82509
.rdata 0x7000 0x27b3 10240 cc7954aedf61b8aeae282e5bd1d63050a7f4fda5 c33302ec769c1ea694bd04e44d4fc8c3
.data 0xa000 0x127a0 71168 b81d572eac1169ae30c00c02c3dedf3bbefcffb7 09fe9cb4d31c9bac85bdf8cee2c2d871
.pdata 0x1d000 0x51c 1536 034f23c1fc3544f1df57567a125af96ac5499151 47ec20310e3e1ef64b86ac567ea0d000
.rsrc 0x1e000 0x1b4 512 fe55e49f508eac685bbab664d62a7f3c51a7e409 4ac5de39a8386f9d7cbb3074161cad81
.reloc 0x1f000 0x25c 1024 f020d8169bd961ec0093a2a32f82a43204b4e8f0 00dff845d810942695aa23f55e6f50af

PE Resources 1

Name Language Sublanguage Offset Size Data
RT_MANIFEST LANG_ENGLISH SUBLANG_ENGLISH_US 0x1e058 346

Anti debug functions 4

GetLastError
IsDebuggerPresent
TerminateProcess
UnhandledExceptionFilter

File signature

MD5 SHA1 Block size Virtual Address
662ac4562a64e20028f6265c5b3e45d3 656553755c3908c51b89b564b8b55e1f40fcda8d 5528 106496

Strings analysis - File found

Text
\OBS\pluginData\tesy.txt
Library
USER32.dll
mscoree.dll
SHELL32.dll
CommStructures.dll
KERNEL32.dll

Strings analysis - Possible URLs found 8

http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
http://ocsp.comodoca.com0
https://sectigo.com/CPS0
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
http://crl.comodoca.com/AAACertificateServices.crl04
http://ocsp.sectigo.com0
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#

Import functions

PE Exports 1 suspicious

Function Address
PluginExtProc 0x180001000