DigitalSide Threat Intel

vcruntime140.dll

First submission 2023-06-27 12:59:02 Last sumbission 2023-09-30 19:25:01

File details

File type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Mime type: application/x-dosexec
File size: 78.98 KB (80880 bytes)
Compile time: 2019-07-18 23:54:04
MD5: a37ee36b536409056a86f50e67777dd7
SHA1: 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256: 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
Import Hash : 6a84b7445ccacd5d29ac27de2745f356
Sections 5 .text .data .idata .rsrc .reloc
Directories 6 import export resource debug relocation security
Virus Total: 0/70 VT report date: 2023-06-27 10:49:25

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 6

URL Host (FQDN/IP) Date Added
hXXp://45.140.147.83/0d79b00b81d1cdb5/vcruntime140.dll VirusTotal Report 45.140.147.83 VirusTotal Report 2023-09-30 19:25:02
hXXp://217.196.96.138/063ec44b1db69f0e/vcruntime140.dll VirusTotal Report 217.196.96.138 VirusTotal Report 2023-09-30 19:24:03
hXXp://208.91.189.189/05b85f6a6b0e9444/vcruntime140.dll VirusTotal Report 208.91.189.189 VirusTotal Report 2023-09-28 18:52:04
hXXp://193.201.8.110/c67be317e1e6e8d4/vcruntime140.dll VirusTotal Report 193.201.8.110 VirusTotal Report 2023-09-28 18:45:03
hXXp://91.103.253.2/bdc46bd1e5d3e260/vcruntime140.dll VirusTotal Report 91.103.253.2 VirusTotal Report 2023-09-26 07:05:03
hXXp://185.161.251.81/a4cf60df505c17ab/vcruntime140.dll VirusTotal Report 185.161.251.81 VirusTotal Report 2023-09-24 16:23:04

PE Sections 0 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0xdcf4 56832 ce007357c33fa7e0901a68b854d8d2a98cc9565a 4da508a792f17eb70fc527f196e17b1c
.data 0xf000 0x5f4 512 8f20f51d3120a29f73f5eac966c2c3d707e745a2 44f568c10e74e073142f81fd4e04d7e6
.idata 0x10000 0x584 1536 105faec2dc8fcd60857288724616c55d1b26093e 815d869d862ccfa9c90b3f4063cd90eb
.rsrc 0x11000 0x400 1024 93a777ce81ee313c7ede1bc87f674a4f5c92f341 ec015dc17ff07dd72f25a48791ffde15
.reloc 0x12000 0xa10 3072 35afbc8e084e566a5b966b515fe5cd58e837b1c0 8d6967b67a7b3932ec34879053146032

PE Resources 1

Name Language Sublanguage Offset Size Data
RT_VERSION LANG_ENGLISH SUBLANG_ENGLISH_US 0x11060 928

Meta infos 9

LegalCopyright: \xa9 Microsoft Corporation. All rights reserved.
InternalName: vcruntime140.dll
FileVersion: 14.16.27033.0 built by: vcwrkspc
CompanyName: Microsoft Corporation
ProductVersion: 14.16.27033.0
FileDescription: Microsoft\xae C Runtime Library
Translation: 0x0409 0x04b0
OriginalFilename: vcruntime140.dll
ProductName: Microsoft\xae Visual Studio\xae 2017

Packers detected 1

Borland Delphi 3.0 (???)

Anti debug functions 5

GetLastError
IsProcessorFeaturePresent
RaiseException
TerminateProcess
UnhandledExceptionFilter

File signature

MD5 SHA1 Block size Virtual Address
a776ba51117476a3fc4871001bd080db 8e5cca4cdd8ea567896a915700e8831521e0205c 16880 64000

Strings analysis - File found

Library
vcruntime140.dll
api-ms-win-crt-string-l1-1-0.dll
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
KERNEL32.dll
api-ms-win-crt-stdio-l1-1-0.dll
api-ms-win-crt-convert-l1-1-0.dll

Strings analysis - Possible URLs found 15

http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
http://www.microsoft.com/pkiops/docs/primarycps.htm0@
http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0
http://www.microsoft.com/PKI/docs/CPS/default.htm0@
http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z
http://www.microsoft.com0
http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a

Import functions

Function Address Souspicious Anti Debug
calloc 0x10010084
malloc 0x10010088
free 0x1001008c
Function Address Souspicious Anti Debug
atol 0x1001007c
Function Address Souspicious Anti Debug
strcpy_s 0x100100a8
wcsncmp 0x100100ac
Function Address Souspicious Anti Debug
abort 0x10010094
terminate 0x10010098
Function Address Souspicious Anti Debug
DeleteCriticalSection 0x10010000
TerminateProcess 0x10010004
GetCurrentProcess 0x10010008
SetUnhandledExceptionFilter 0x1001000c
UnhandledExceptionFilter 0x10010010
GetSystemTimeAsFileTime 0x10010014
GetCurrentThreadId 0x10010018
GetCurrentProcessId 0x1001001c
QueryPerformanceCounter 0x10010020
IsProcessorFeaturePresent 0x10010024
GetModuleHandleW 0x10010028
GetModuleFileNameW 0x1001002c
LoadLibraryExW 0x10010030
GetProcAddress 0x10010034
FreeLibrary 0x10010038
RtlUnwind 0x1001003c
VirtualQuery 0x10010040
EncodePointer 0x10010044
InterlockedPushEntrySList 0x10010048
InterlockedFlushSList 0x1001004c
RaiseException 0x10010050
EnterCriticalSection 0x10010054
LeaveCriticalSection 0x10010058
TlsSetValue 0x1001005c
GetLastError 0x10010060
SetLastError 0x10010064
InitializeCriticalSectionAndSpinCount 0x10010068
TlsAlloc 0x1001006c
TlsGetValue 0x10010070
TlsFree 0x10010074
Function Address Souspicious Anti Debug
__stdio_common_vsprintf_s 0x100100a0

PE Exports 81 suspicious

Function Address
_CreateFrameInfo 0x1000d7a0
_CxxThrowException 0x10007680
_EH_prolog 0x1000df30
_FindAndUnlinkFrame 0x1000d7d0
_IsExceptionObjectToBeDestroyed 0x10005af0
_NLG_Dispatch2 0x10003f63
_NLG_Return 0x10002707
_NLG_Return2 0x10003f6d
_SetWinRTOutOfMemoryExceptionCallback 0x10005b20
__AdjustPointer 0x10005b30
__BuildCatchObject 0x10006a60
__BuildCatchObjectHelper 0x10006a70
__CxxDetectRethrow 0x10006a90
__CxxExceptionFilter 0x10006ae0
__CxxFrameHandler 0x1000d8b0
__CxxFrameHandler2 0x1000d8b0
__CxxFrameHandler3 0x1000d8b0
__CxxLongjmpUnwind 0x1000d8f0
__CxxQueryExceptionSize 0x10006c20
__CxxRegisterExceptionObject 0x10006c30
__CxxUnregisterExceptionObject 0x10006ce0
__DestructExceptionObject 0x10005a40
__FrameUnwindFilter 0x10005b60
__GetPlatformExceptionInfo 0x10005bb0
__RTCastToVoid 0x10007250
__RTDynamicCast 0x100072d0
__RTtypeid 0x100073d0
__TypeMatch 0x10006a80
__current_exception 0x10005c00
__current_exception_context 0x10005c10
__intrinsic_setjmp 0x10003d60
__processing_throw 0x10005c20
__report_gsfailure 0x1000df80
__std_exception_copy 0x10007460
__std_exception_destroy 0x100074d0
__std_terminate 0x10005c30
__std_type_info_compare 0x10007510
__std_type_info_destroy_list 0x10007550
__std_type_info_hash 0x10007580
__std_type_info_name 0x100075b0
__telemetry_main_invoke_trigger 0x10003f70
__telemetry_main_return_trigger 0x10003f70
__unDName 0x1000d3e0
__unDNameEx 0x1000d410
__uncaught_exception 0x100076f0
__uncaught_exceptions 0x10007710
__vcrt_GetModuleFileNameW 0x10007d10
__vcrt_GetModuleHandleW 0x10007d30
__vcrt_InitializeCriticalSectionEx 0x10007c60
__vcrt_LoadLibraryExW 0x10007d40
_chkesp 0x100045e0
_except_handler2 0x10003928
_except_handler3 0x100039f8
_except_handler4_common 0x10004480
_get_purecall_handler 0x10007d60
_get_unexpected 0x10007720
_global_unwind2 0x10003e30
_is_exception_typeof 0x10005c40
_local_unwind2 0x10003e96
_local_unwind4 0x10003b30
_longjmpex 0x10003e20
_purecall 0x10007d80
_seh_longjmp_unwind 0x10003b04
_seh_longjmp_unwind4 0x10003c08
_set_purecall_handler 0x10007da0
_set_se_translator 0x10007780
_setjmp3 0x10003da0
longjmp 0x10003fd0
memchr 0x10002730
memcmp 0x10004a90
memcpy 0x100027e0
memmove 0x10002d60
memset 0x100032e0
set_unexpected 0x10007740
strchr 0x10003440
strrchr 0x10003570
strstr 0x100036b0
unexpected 0x10007760
wcschr 0x10003ff0
wcsrchr 0x100040c0
wcsstr 0x10004170

Related files by ImpHash 1 6a84b7445ccacd5d29ac27de2745f356

Name Latest seen MD5
vcruntime140.dll 2023-09-25 17:42:02 1b171f9a428c44acf85f89989007c328