wc4aw1t506.dll

First submission 2023-09-14 10:59:03

File details

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	1090.5 KB (1116672 bytes)
Compile time:	2023-09-11 18:16:55
MD5:	e4919447b9ea5c4f02a0746ab64f8e7e
SHA1:	bf40844bd9286804351cf1c51ad1f68a26b81d92
SHA256:	f583b43851502322a69c67f0f8f3e50f296f397e4bbb50bc646bccca6ee79215
Import Hash :	9881fe8bdd76fbd975354d75e7c256d2
Sections 7	.text .rdata .data .pdata .gfids .rsrc .reloc
Directories 4	import export resource relocation
Virus Total:	16/70 VT report date: 2023-09-14 08:48:22

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://128.140.55.166/wc4aw1t506.dll	128.140.55.166	2023-09-14 10:59:03

PE Sections 1 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0xe7c7	59392	6fa71a022b29b5763ade560bfc1f83ae3f828de6	4d43afee646fc3c82cad1d4be1319574
.rdata	0x10000	0x417e6	268288	fb2621e17457632c1673bb588cf4b23a419d010d	633134f5daac042d68b605addf7b7839
.data	0x52000	0xbf598	779264	fbbd95dcac937aa7b8e0de184a771e0af23e54c3	81a2913d9eec8d23ffeb4c439a17457a
.pdata	0x112000	0xe40	4096	3b14d5bdaaf9e4811eec29ee31c53f4846c331e8	ad64602dff4bbef558102c9b9a9b606f
.gfids	0x113000	0x94	512	e77578487b6803ed741fb698da7a8640bf3f1fd5	b2e0b6647b886286763312a427dc2c1c
.rsrc	0x114000	0x728	2048	0c55dd4c0998fed3b6019e177e9106fb279b7af0	cbc8a329d23b29cf1007bd2a03f54f84
.reloc	0x115000	0x624	2048	4e3981613223788a5ba4499c129a93ed26de62bb	f2fa1171ec9ebec450265f67ebc73004

PE Resources 3

Name	Language	Sublanguage	Offset	Size	Data
RT_STRING	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x114320	646	PE Resource: RT_STRING - Data %d 641! Moscow Detached.Harderflint Popular Listened? mental CompelledAlec compare Echo+ dip- %d Tales) Proceedingsickly_arrested_ Beehive burn Fuel9%d identical_ Cost? Puddle Despair Servant@ %d$ machineryknocked 439, Careers 599. Madame 419 492 515@213, Newspapers climate@ Spur%d %s\ 207$ 871( blond acorn
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x1145a8	381	PE Resource: RT_MANIFEST - Data <?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly>
None	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x114120	196

Name

Language

Sublanguage

Offset

Size

Data

RT_STRING

LANG_ENGLISH

SUBLANG_ENGLISH_US

0x114320

646

RT_MANIFEST

LANG_ENGLISH

SUBLANG_ENGLISH_US

0x1145a8

381

None

LANG_ENGLISH

SUBLANG_ENGLISH_US

0x114120

196

Anti debug functions 6

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
RaiseException
TerminateProcess
UnhandledExceptionFilter

Anti debug functions 1

Bochs & QEmu CPUID Trick

Strings analysis - File found

Library
mscoree.dll
utpcxre663tc32.dll
KERNEL32.dll

Import functions

KERNEL32.dll 79

Function	Address	Souspicious	Anti Debug
EnterCriticalSection	0x180010000
LeaveCriticalSection	0x180010008
InitializeCriticalSection	0x180010010
CloseHandle	0x180010018
GetLastError	0x180010020
GetCurrentActCtx	0x180010028
HeapCreate	0x180010030
TryEnterCriticalSection	0x180010038
CreateThread	0x180010040
OpenThread	0x180010048
FindFirstFileA	0x180010050
FindNextFileA	0x180010058
FindClose	0x180010060
WaitForSingleObject	0x180010068
WaitForMultipleObjects	0x180010070
GetCurrentThread	0x180010078
CreateFileMappingA	0x180010080
VirtualAlloc	0x180010088
DuplicateHandle	0x180010090
QueryPerformanceCounter	0x180010098
GetCurrentProcessId	0x1800100a0
GetCurrentThreadId	0x1800100a8
GetSystemTimeAsFileTime	0x1800100b0
InitializeSListHead	0x1800100b8
RtlCaptureContext	0x1800100c0
RtlLookupFunctionEntry	0x1800100c8
RtlVirtualUnwind	0x1800100d0
IsDebuggerPresent	0x1800100d8
UnhandledExceptionFilter	0x1800100e0
SetUnhandledExceptionFilter	0x1800100e8
GetStartupInfoW	0x1800100f0
IsProcessorFeaturePresent	0x1800100f8
GetModuleHandleW	0x180010100
RtlUnwindEx	0x180010108
InterlockedFlushSList	0x180010110
SetLastError	0x180010118
DeleteCriticalSection	0x180010120
InitializeCriticalSectionAndSpinCount	0x180010128
TlsAlloc	0x180010130
TlsGetValue	0x180010138
TlsSetValue	0x180010140
TlsFree	0x180010148
FreeLibrary	0x180010150
GetProcAddress	0x180010158
LoadLibraryExW	0x180010160
GetCurrentProcess	0x180010168
ExitProcess	0x180010170
TerminateProcess	0x180010178
GetModuleHandleExW	0x180010180
GetModuleFileNameA	0x180010188
MultiByteToWideChar	0x180010190
WideCharToMultiByte	0x180010198
HeapFree	0x1800101a0
HeapAlloc	0x1800101a8
LCMapStringW	0x1800101b0
FindFirstFileExA	0x1800101b8
IsValidCodePage	0x1800101c0
GetACP	0x1800101c8
GetOEMCP	0x1800101d0
GetCPInfo	0x1800101d8
GetCommandLineA	0x1800101e0
GetCommandLineW	0x1800101e8
GetEnvironmentStringsW	0x1800101f0
FreeEnvironmentStringsW	0x1800101f8
GetProcessHeap	0x180010200
GetStdHandle	0x180010208
GetFileType	0x180010210
GetStringTypeW	0x180010218
HeapReAlloc	0x180010220
HeapSize	0x180010228
SetStdHandle	0x180010230
RaiseException	0x180010238
WriteFile	0x180010240
FlushFileBuffers	0x180010248
GetConsoleCP	0x180010250
GetConsoleMode	0x180010258
SetFilePointerEx	0x180010260
WriteConsoleW	0x180010268
CreateFileW	0x180010270

PE Exports 1 suspicious

Function	Address
DllRegisterServer	0x18000f1b4