winsnare.dll Binary Code Analysis - File Md5: 3871b1f0ed49caaa2dfa9d5aa78e61de
File hash value: 3871b1f0ed49caaa2dfa9d5aa78e61de. This is a 32-bit DLL file, and the file size is 980 K. This page is mainly to analyze the binary code of the file, that is, PE file format. To understand the content here, you need to have a certain computer expertise. The content of this page is mainly provided to people who are engaged in the maintenance of computer security in the industry, in the hope of contributing to the cause of computer security.
If you are a regular computer user, and do not understand the content, you can click on the following file name, to view the solutions for various problems caused by the file.
You can also download the repair tool directly to fix your operating system.
Called external files and functions:
In general, malicious files will call these types of functions: functions to intercept data, network functions, functions to modify the registry information, access to the browser personal privacy Cookie, and directly bypass the system to read hard disk data (Hint: The files below may be called by malicious files, but these files themselves are not necessarily malicious files. They may be some normal system files)
Export function:
The following function is a function provided by this file. The export function is useful for analyzing the specific behavior of a runtime file, starting from the function entry address, and debugging the code line by line. You can get a lot of data generated by this file.
This is my analysis results of this malicious file. If you have any questions, or have any problems that cannot be resolved, you can leave a message or email me.
• You can also use the following online detection function to check the file.
T21 can detect unknown files online, mainly using "behavior-based" judgment mechanism. It is very simple to use T21.
1. Click the "Upload File" button, select the file you want to detect, and then click "Submit".
2. The next step is to wait for the system to check, which may take a little time, so please be patient.
3. When the T21 scan engine finishes detection, the test results are immediately fed back, as shown below:
Other captured malicious files:
kyubey.exe - File Md5: de451a7d362b958b64fb1c1178af4b9f
qqbrowserframe.dll - File Md5: 701494979045bccac3e36076a8fd3c19
yacqq.dll - File Md5: d86c5f8b96ea0c50d97ffab630d13f61
winsnare64.dll - File Md5: cfbd64096227189096a7a68304cf44fd
yacqq.exe - File Md5: 8e4b07407b6881e4a0ec300910f716a4
kyubey.exe - File Md5: 7568abb7d1edfafeaf4cd87213e27e27
newfolder.exe - File Md5: a80f986017a54bdbe06f81b574b5c778
addr2lineui.exe - File Md5: fa56737b071b962dea4464f063b0593a
zip.exe - File Md5: e74310f0bd86ce806f0d1acd65d93715
If you are a regular computer user, and do not understand the content, you can click on the following file name, to view the solutions for various problems caused by the file.
You can also download the repair tool directly to fix your operating system.
DOS Stub
...
...
.text SECTION #1
.rdata SECTION #2
.data SECTION #3
.rsrc SECTION #4
.reloc SECTION #5
DOS Header
Type Name Value Memo
WORD e_magic 0x00005A4D DOS Sign WORD e_cblp 0x00000090 Bytes on last page of file WORD e_cp 0x00000003 Pages in file WORD e_crlc 0x00000000 Relocations WORD e_cparhdr 0x00000004 Size of header in paragraphs WORD e_minalloc 0x00000000 Minimum extra paragraphs needed WORD e_maxalloc 0x0000FFFF Maximum extra paragraphs needed WORD e_ss 0x00000000 Initial (relative) SS value WORD e_sp 0x000000B8 Initial SP value WORD e_csum 0x00000000 Checksum WORD e_ip 0x00000000 Initial IP value WORD e_cs 0x00000000 Initial (relative) CS value WORD e_lfarlc 0x00000040 File address of relocation table WORD e_ovno 0x00000000 Overlay number WORD e_res[4] [0]=0x00000000
[1]=0x00000000
[2]=0x00000000
[3]=0x00000000 Reserved words WORD e_oemid 0x00000000 OEM identifier (for e_oeminfo) WORD e_oeminfo 0x00000000 OEM information; e_oemid specific WORD e_res2[10] [1]=0x00000000
[2]=0x00000000
[3]=0x00000000
[4]=0x00000000
[5]=0x00000000
[6]=0x00000000
[7]=0x00000000
[8]=0x00000000
[9]=0x00000000
[10]=0x00000000 Reserved words WORD e_lfanew 0x000000F8 PE File Header address
[1]=0x00000000
[2]=0x00000000
[3]=0x00000000
[2]=0x00000000
[3]=0x00000000
[4]=0x00000000
[5]=0x00000000
[6]=0x00000000
[7]=0x00000000
[8]=0x00000000
[9]=0x00000000
[10]=0x00000000
NT HEADER - NT File Signature
Type Name Value Memo
DWORD Signature 0x00004550 PE File Sign: "PE"
NT HEADER - FILE HEADER
Type Name Value Memo
WORD Machine 0x0000014C File Bit (32Bit Or 64 Bit) WORD NumberOfSections 0x00000005 Number Of Sections DWORD TimeDateStamp 0x58DC684E File Create Time DWORD PointerToSymbolTable 0x00000000 Pointer To Symbol Table DWORD NumberOfSymbols 0x00000000 Number Of Symbols WORD SizeOfOptionalHeader 0x000000E0 Size Of Optional Header WORD Characteristics 0x00002102 File Type: (EXE or DLL)
NT HEADER - OPTIONAL HEADER
Type Name Value Memo
WORD Magic 0x0000010B Magic BYTE MajorLinkerVersion 0x0000000C Major Linker Version BYTE MinorLinkerVersion 0x00000000 Minor Linker Version DWORD SizeOfCode 0x0008E400 Size Of Code DWORD SizeOfInitializedData 0x00040000 Size Of Initialized Data DWORD SizeOfUninitializedData 0x00000000 Size Of Uninitialized Data DWORD AddressOfEntryPoint 0x00022C24 Address Of Entry Point DWORD BaseOfCode 0x00001000 Base Of Code DWORD BaseOfData 0x00090000 Base Of Data DWORD ImageBase 0x10000000 Image Base DWORD SectionAlignment 0x00001000 Section Alignment DWORD FileAlignment 0x00000200 File Alignment WORD MajorOperatingSystemVersion 0x00000005 Major Operating System Version WORD MinorOperatingSystemVersion 0x00000001 Minor Operating System Version WORD MajorImageVersion 0x00000000 Major Image Version WORD MinorImageVersion 0x00000000 Minor Image Version WORD MajorSubsystemVersion 0x00000005 Major Sub system Version WORD MinorSubsystemVersion 0x00000001 Minor Sub system Version DWORD Win32VersionValue 0x00000000 Win32 Version Value DWORD SizeOfImage 0x000D1000 Size Of Image DWORD SizeOfHeaders 0x00000400 Size Of Headers DWORD CheckSum 0x00000000 Check Sum WORD Subsystem 0x00000003 Sub system WORD DllCharacteristics 0x00000100 Dll Char acteristics DWORD SizeOfStackReserve 0x00100000 Size Of Stack Reserve DWORD SizeOfStackCommit 0x00001000 Size Of Stack Commit DWORD SizeOfHeapReserve 0x00100000 Size Of Heap Reserve DWORD SizeOfHeapCommit 0x00001000 Size Of Heap Commit DWORD LoaderFlags 0x00000000 Loader Flags DWORD NumberOfRvaAndSizes 0x00000010 Number Of Rva And Sizes
NT HEADER - OPTIONAL HEADER - Data Directory
Type Name Value Memo
DWORD DataDirectory[1].VirtualAddress 0x000B88E0 Data Directory Virtual Address DWORD DataDirectory[1].Size 0x0000005D Data Directory Size DWORD DataDirectory[2].VirtualAddress 0x000B8940 Data Directory Virtual Address DWORD DataDirectory[2].Size 0x000000B4 Data Directory Size DWORD DataDirectory[3].VirtualAddress 0x000C8000 Data Directory Virtual Address DWORD DataDirectory[3].Size 0x000005A8 Data Directory Size DWORD DataDirectory[4].VirtualAddress 0x00000000 Data Directory Virtual Address DWORD DataDirectory[4].Size 0x00000000 Data Directory Size DWORD DataDirectory[5].VirtualAddress 0x00000000 Data Directory Virtual Address DWORD DataDirectory[5].Size 0x00000000 Data Directory Size DWORD DataDirectory[6].VirtualAddress 0x000C9000 Data Directory Virtual Address DWORD DataDirectory[6].Size 0x00007DE8 Data Directory Size DWORD DataDirectory[7].VirtualAddress 0x00000000 Data Directory Virtual Address DWORD DataDirectory[7].Size 0x00000000 Data Directory Size DWORD DataDirectory[8].VirtualAddress 0x00000000 Data Directory Virtual Address DWORD DataDirectory[8].Size 0x00000000 Data Directory Size DWORD DataDirectory[9].VirtualAddress 0x00000000 Data Directory Virtual Address DWORD DataDirectory[9].Size 0x00000000 Data Directory Size DWORD DataDirectory[10].VirtualAddress 0x00000000 Data Directory Virtual Address DWORD DataDirectory[10].Size 0x00000000 Data Directory Size DWORD DataDirectory[11].VirtualAddress 0x000AE9B8 Data Directory Virtual Address DWORD DataDirectory[11].Size 0x00000040 Data Directory Size DWORD DataDirectory[12].VirtualAddress 0x00000000 Data Directory Virtual Address DWORD DataDirectory[12].Size 0x00000000 Data Directory Size DWORD DataDirectory[13].VirtualAddress 0x00090000 Data Directory Virtual Address DWORD DataDirectory[13].Size 0x0000035C Data Directory Size DWORD DataDirectory[14].VirtualAddress 0x000B7EFC Data Directory Virtual Address DWORD DataDirectory[14].Size 0x000000A0 Data Directory Size DWORD DataDirectory[15].VirtualAddress 0x00000000 Data Directory Virtual Address DWORD DataDirectory[15].Size 0x00000000 Data Directory Size DWORD DataDirectory[16].VirtualAddress 0x00000000 Data Directory Virtual Address DWORD DataDirectory[16].Size 0x00000000 Data Directory Size
SECTION #1Type Name Value Memo BYTE Name .text Section Name DWORD VirtualSize 0x0008E3BD Section Virtual Size DWORD VirtualAddress 0x00001000 Section Virtual Address DWORD SizeOfRawData 0x0008E400 Section Size Of Raw Data DWORD PointerToRawData 0x00000400 Section Pointer To Raw Data DWORD PointerToRelocations 0x00000000 Section Pointer To Relocations DWORD PointerToLinenumbers 0x00000000 Section Pointer To Linenumbers WORD NumberOfRelocations 0x00000000 Section Number Of Relocations WORD NumberOfLinenumbers 0x00000000 Section Number Of Linenumbers DWORD Characteristics 0x60000020 Section Characteristics
SECTION #2Type Name Value Memo BYTE Name .rdata Section Name DWORD VirtualSize 0x00029B3C Section Virtual Size DWORD VirtualAddress 0x00090000 Section Virtual Address DWORD SizeOfRawData 0x00029C00 Section Size Of Raw Data DWORD PointerToRawData 0x0008E800 Section Pointer To Raw Data DWORD PointerToRelocations 0x00000000 Section Pointer To Relocations DWORD PointerToLinenumbers 0x00000000 Section Pointer To Linenumbers WORD NumberOfRelocations 0x00000000 Section Number Of Relocations WORD NumberOfLinenumbers 0x00000000 Section Number Of Linenumbers DWORD Characteristics 0x40000040 Section Characteristics
SECTION #3Type Name Value Memo BYTE Name .data Section Name DWORD VirtualSize 0x0000DF28 Section Virtual Size DWORD VirtualAddress 0x000BA000 Section Virtual Address DWORD SizeOfRawData 0x00004000 Section Size Of Raw Data DWORD PointerToRawData 0x000B8400 Section Pointer To Raw Data DWORD PointerToRelocations 0x00000000 Section Pointer To Relocations DWORD PointerToLinenumbers 0x00000000 Section Pointer To Linenumbers WORD NumberOfRelocations 0x00000000 Section Number Of Relocations WORD NumberOfLinenumbers 0x00000000 Section Number Of Linenumbers DWORD Characteristics 0xC0000040 Section Characteristics
SECTION #4Type Name Value Memo BYTE Name .rsrc Section Name DWORD VirtualSize 0x000005A8 Section Virtual Size DWORD VirtualAddress 0x000C8000 Section Virtual Address DWORD SizeOfRawData 0x00000600 Section Size Of Raw Data DWORD PointerToRawData 0x000BC400 Section Pointer To Raw Data DWORD PointerToRelocations 0x00000000 Section Pointer To Relocations DWORD PointerToLinenumbers 0x00000000 Section Pointer To Linenumbers WORD NumberOfRelocations 0x00000000 Section Number Of Relocations WORD NumberOfLinenumbers 0x00000000 Section Number Of Linenumbers DWORD Characteristics 0x40000040 Section Characteristics
SECTION #5Type Name Value Memo BYTE Name .reloc Section Name DWORD VirtualSize 0x00007DE8 Section Virtual Size DWORD VirtualAddress 0x000C9000 Section Virtual Address DWORD SizeOfRawData 0x00007E00 Section Size Of Raw Data DWORD PointerToRawData 0x000BCA00 Section Pointer To Raw Data DWORD PointerToRelocations 0x00000000 Section Pointer To Relocations DWORD PointerToLinenumbers 0x00000000 Section Pointer To Linenumbers WORD NumberOfRelocations 0x00000000 Section Number Of Relocations WORD NumberOfLinenumbers 0x00000000 Section Number Of Linenumbers DWORD Characteristics 0x42000040 Section Characteristics
Called external files and functions:
In general, malicious files will call these types of functions: functions to intercept data, network functions, functions to modify the registry information, access to the browser personal privacy Cookie, and directly bypass the system to read hard disk data (Hint: The files below may be called by malicious files, but these files themselves are not necessarily malicious files. They may be some normal system files)
Import File - KERNEL32.dllGetModuleFileNameW CreateFileW GetProcAddress GetModuleHandleA VirtualProtect CloseHandle GetFileSize GetCurrentProcess WaitForSingleObject GetTimeFormatA SetEvent GetTickCount ExpandEnvironmentStringsA GetDateFormatA WideCharToMultiByte Sleep CreateEventA FileTimeToSystemTime CreateDirectoryA FindFirstFileA GetLastError FindClose ResetEvent GetLocalTime LoadLibraryA GetProcessWorkingSetSize CreateEventW SetProcessWorkingSetSize WaitForMultipleObjects CreateMutexA GetCurrentThreadId ReleaseMutex FileTimeToLocalFileTime LocalFree lstrlenA HeapAlloc HeapFree GetProcessHeap GetFileAttributesA SetLastError FindNextFileA InterlockedDecrement LocalAlloc ReadConsoleA GetConsoleMode SetConsoleMode CreateProcessA TerminateProcess GetStdHandle GetModuleFileNameA OutputDebugStringA HeapReAlloc GetModuleHandleW InitializeCriticalSectionAndSpinCount CopyFileW HeapDestroy MultiByteToWideChar RaiseException HeapSize IsWow64Process DecodePointer DeleteCriticalSection DeleteFileW ExpandEnvironmentStringsW WaitForMultipleObjectsEx UnregisterWaitEx QueryDepthSList InterlockedFlushSList InterlockedPushEntrySList InterlockedPopEntrySList InitializeSListHead ReleaseSemaphore SetProcessAffinityMask VirtualFree VirtualAlloc GetVersionExW FreeLibraryAndExitThread GetThreadTimes UnregisterWait RegisterWaitForSingleObject SetThreadAffinityMask GetProcessAffinityMask GetNumaHighestNodeNumber DeleteTimerQueueTimer ChangeTimerQueueTimer CreateTimerQueueTimer GetLogicalProcessorInformation GetThreadPriority SetThreadPriority SwitchToThread SignalObjectAndWait WaitForSingleObjectEx RtlCaptureStackBackTrace CreateTimerQueue TryEnterCriticalSection GetExitCodeThread DuplicateHandle GetFileAttributesExW SetEnvironmentVariableA SetEndOfFile GetExitCodeProcess WriteConsoleW OutputDebugStringW GetStringTypeW SetStdHandle SetFilePointerEx LoadLibraryW EnumSystemLocalesW GetUserDefaultLCID IsValidLocale GetLocaleInfoW LCMapStringW CompareStringW GetTimeFormatW FreeLibrary LoadLibraryExA lstrlenW EncodePointer CreateThread ExitThread ResumeThread EnterCriticalSection LeaveCriticalSection LoadLibraryExW GetSystemTimeAsFileTime IsDebuggerPresent IsProcessorFeaturePresent GetCommandLineA RtlUnwind ExitProcess GetModuleHandleExW AreFileApisANSI ReadFile ReadConsoleW IsValidCodePage GetACP GetOEMCP GetCPInfo GetCurrentThread UnhandledExceptionFilter SetUnhandledExceptionFilter TlsAlloc TlsGetValue TlsSetValue TlsFree GetStartupInfoW CreateSemaphoreW WriteFile GetTimeZoneInformation GetFileType FatalAppExitA FlushFileBuffers GetConsoleCP QueryPerformanceCounter GetCurrentProcessId GetEnvironmentStringsW FreeEnvironmentStringsW SetConsoleCtrlHandler GetDateFormatW
Import File - SHELL32.dllSHGetSpecialFolderPathW
Import File - ole32.dllCoUninitialize CoInitialize
Import File - OLEAUT32.dllFunction Address
0x00000006 Function Address
0x00000018 Function Address
0x00000008 Function Address
0x00000017 Function Address
0x00000009 Function Address
0x000000C9 Function Address
0x00000002 Function Address
0x000000C8 Function Address
0x0000000C Function Address
0x000000CA
0x00000006
0x00000018
0x00000008
0x00000017
0x00000009
0x000000C9
0x00000002
0x000000C8
0x0000000C
0x000000CA
Import File - WS2_32.dllFunction Address
0x0000000D Function Address
0x00000001 Function Address
0x00000013 Function Address
0x00000039 Function Address
0x00000073 Function Address
0x0000000B Function Address
0x0000006F Function Address
0x00000002 Function Address
0x00000014 Function Address
0x00000074 Function Address
0x00000017 Function Address
0x00000071 Function Address
0x00000003 Function Address
0x00000034 Function Address
0x00000010 Function Address
0x00000015 Function Address
0x0000000C Function Address
0x00000009 Function Address
0x00000012 Function Address
0x00000016
0x0000000D
0x00000001
0x00000013
0x00000039
0x00000073
0x0000000B
0x0000006F
0x00000002
0x00000014
0x00000074
0x00000017
0x00000071
0x00000003
0x00000034
0x00000010
0x00000015
0x0000000C
0x00000009
0x00000012
0x00000016
Import File - NETAPI32.dllDsRoleFreeMemory NetGetDCName NetLocalGroupGetMembers NetUserModalsGet NetUserGetInfo NetApiBufferFree DsRoleGetPrimaryDomainInformation NetQueryDisplayInformation NetLocalGroupEnum NetGroupGetUsers
Import File - SHLWAPI.dllPathFileExistsW PathFindFileNameW SHSetValueA PathQuoteSpacesW
Import File - dbghelp.dllMakeSureDirectoryPathExists
Export function:
The following function is a function provided by this file. The export function is useful for analyzing the specific behavior of a runtime file, starting from the function entry address, and debugging the code line by line. You can get a lot of data generated by this file.
Export File - WinSnare.dllOrdinals Function Name Address 0x00000001 Ferlari 0x0003B0AD 0x00000002 ServiceMain 0x00005BB0
This is my analysis results of this malicious file. If you have any questions, or have any problems that cannot be resolved, you can leave a message or email me.
• You can also use the following online detection function to check the file.
T21 can detect unknown files online, mainly using "behavior-based" judgment mechanism. It is very simple to use T21.
1. Click the "Upload File" button, select the file you want to detect, and then click "Submit".
2. The next step is to wait for the system to check, which may take a little time, so please be patient.
3. When the T21 scan engine finishes detection, the test results are immediately fed back, as shown below:
Other captured malicious files:
kyubey.exe - File Md5: de451a7d362b958b64fb1c1178af4b9f
qqbrowserframe.dll - File Md5: 701494979045bccac3e36076a8fd3c19
yacqq.dll - File Md5: d86c5f8b96ea0c50d97ffab630d13f61
winsnare64.dll - File Md5: cfbd64096227189096a7a68304cf44fd
yacqq.exe - File Md5: 8e4b07407b6881e4a0ec300910f716a4
kyubey.exe - File Md5: 7568abb7d1edfafeaf4cd87213e27e27
newfolder.exe - File Md5: a80f986017a54bdbe06f81b574b5c778
addr2lineui.exe - File Md5: fa56737b071b962dea4464f063b0593a
zip.exe - File Md5: e74310f0bd86ce806f0d1acd65d93715
Copyright statement: The above data is obtained by my analysis, and without authorization, you may not copy or reprint it.
Leave a Reply
Your email address will not be published. Required fields are marked *
Your email address will not be published. Required fields are marked *
If you need help, please leave a message, try to match the picture, and I will reply as soon as possible to each question.
User Reply & Help
»[May 02, 2019]
Ahmed Ali Shah say: Cool. Android Fastboot Reset Tool is one of the best way to unlock android devices. I think it is th ......
Reply: Thank you for your attention. According to the monitoring, this executable file should be infected b …View >>>
Ahmed Ali Shah say: Cool. Android Fastboot Reset Tool is one of the best way to unlock android devices. I think it is th ......Reply: Thank you for your attention. According to the monitoring, this executable file should be infected b …View >>>
»[April 27, 2019]Sergei Zolotarev say: I am playing CDs on my computer or listening to MP3 music on my hard disk. But when I run Photoshop ......
Reply: This kind of fault may be caused by the computer configuration being too low. For example, the CPU f …View >>>
Sergei Zolotarev say: I am playing CDs on my computer or listening to MP3 music on my hard disk. But when I run Photoshop ......Reply: This kind of fault may be caused by the computer configuration being too low. For example, the CPU f …View >>>
»[April 09, 2019]Guest say: The CPU is a newly purchased boxed Celeron D 2.8GHz. The motherboard is a Mercedes 865PE. The temper ......
Reply: This happens because the objects detected by the two are different. AID32 and HWiNFO detect the temp …View >>>
Guest say: The CPU is a newly purchased boxed Celeron D 2.8GHz. The motherboard is a Mercedes 865PE. The temper ......Reply: This happens because the objects detected by the two are different. AID32 and HWiNFO detect the temp …View >>>
»[April 05, 2019]amlan say: When I played a song on my computer, I sometimes plugged in the earphones and found that the sound o ......
Reply: This situation can be caused by the following reasons:The impedance of the headset. Normally used he …View >>>
amlan say: When I played a song on my computer, I sometimes plugged in the earphones and found that the sound o ......Reply: This situation can be caused by the following reasons:The impedance of the headset. Normally used he …View >>>
»[March 26, 2019]Alok say: When the scanner is turned on, the "SCSI card not found" error message appears. What happened?
Reply: This is because the fuse is set on the SCSI card. When a bad circuit condition (voltage instability …View >>>
Alok say: When the scanner is turned on, the "SCSI card not found" error message appears. What happened?Reply: This is because the fuse is set on the SCSI card. When a bad circuit condition (voltage instability …View >>>
»[March 06, 2019]utkrasht say: My computer uses the Geforce2 MX400 graphics card, but it is not very smooth when playing some 3D ga ......
Reply: From the enumerated phenomenon, there may be problems with high-end video memory. In general applica …View >>>
utkrasht say: My computer uses the Geforce2 MX400 graphics card, but it is not very smooth when playing some 3D ga ......Reply: From the enumerated phenomenon, there may be problems with high-end video memory. In general applica …View >>>
Copyright © 2016-2019 mygoodtools.com All rights reserved.