Windows Analysis Report
glib-2.0.dll

Overview

General Information

Sample name: glib-2.0.dll
Analysis ID: 1544942
MD5: 34f4b186c725c3948820c0ad65c42c27
SHA1: a5422d027adc059ef5c78e635af2d43795710925
SHA256: 5cfa104a083d2b1d223f306b86829e5ae40cd0909c8d46828149296388d542a7
Tags: dlluser-likeastar20
Infos:

Detection

Score: 23
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

AI detected suspicious sample
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 86.0% probability
Uses 32bit PE files
Source: glib-2.0.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: C:\Windows\System32\loaddll32.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll Jump to behavior
Source: glib-2.0.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\toolchain\src\glib-2.22.4-3\glib-2.22.4\build\win32\vs8\Release\bin\glib-2.0.pdb source: glib-2.0.dll
Source: glib-2.0.dll String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: glib-2.0.dll String found in binary or memory: http://freedesktop.org
Source: glib-2.0.dll String found in binary or memory: http://freedesktop.orgmetadataUnexpected
Source: glib-2.0.dll String found in binary or memory: http://ocsp.thawte.com0
Source: glib-2.0.dll String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: glib-2.0.dll String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: glib-2.0.dll String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: glib-2.0.dll String found in binary or memory: http://www.freedesktop.org/standards/desktop-bookmarks
Source: glib-2.0.dll String found in binary or memory: http://www.freedesktop.org/standards/desktop-bookmarksapplicationUnexpected
Source: glib-2.0.dll String found in binary or memory: http://www.freedesktop.org/standards/desktop-bookmarksgroupUnexpected
Source: glib-2.0.dll String found in binary or memory: http://www.freedesktop.org/standards/desktop-bookmarksgrouphttp://www.freedesktop.org/standards/desk
Source: glib-2.0.dll String found in binary or memory: http://www.freedesktop.org/standards/desktop-bookmarksgroupshttp://www.freedesktop.org/standards/des
Source: glib-2.0.dll String found in binary or memory: http://www.freedesktop.org/standards/desktop-bookmarksmetadataUnexpected
Source: glib-2.0.dll String found in binary or memory: http://www.freedesktop.org/standards/shared-mime-info
Source: glib-2.0.dll String found in binary or memory: http://www.vmware.com/0
PE / OLE file has an invalid certificate
Source: glib-2.0.dll Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: glib-2.0.dll Binary or memory string: OriginalFilenamelibglib-2.0-0.dll* vs glib-2.0.dll
Uses 32bit PE files
Source: glib-2.0.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: classification engine Classification label: sus23.winDLL@12/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6592:120:WilError_03
Source: glib-2.0.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\glib-2.0.dll,_g_debug_flags
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\glib-2.0.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\glib-2.0.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\glib-2.0.dll,_g_debug_flags
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\glib-2.0.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\glib-2.0.dll,_g_debug_initialized
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\glib-2.0.dll,g_access
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\glib-2.0.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\glib-2.0.dll,_g_debug_flags Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\glib-2.0.dll,_g_debug_initialized Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\glib-2.0.dll,g_access Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\glib-2.0.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: intl.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: glib-2.0.dll Static PE information: More than 1235 > 100 exports found
Source: glib-2.0.dll Static file information: File size 1074880 > 1048576
Source: C:\Windows\System32\loaddll32.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll Jump to behavior
Source: glib-2.0.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: glib-2.0.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: glib-2.0.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: glib-2.0.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: glib-2.0.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: glib-2.0.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: glib-2.0.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: glib-2.0.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\toolchain\src\glib-2.22.4-3\glib-2.22.4\build\win32\vs8\Release\bin\glib-2.0.pdb source: glib-2.0.dll
Source: glib-2.0.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: glib-2.0.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: glib-2.0.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: glib-2.0.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: glib-2.0.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains an invalid checksum
Source: glib-2.0.dll Static PE information: real checksum: 0x1108d6 should be: 0x10d0b0
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: glib-2.0.dll Binary or memory string: VMware, Inc.1>0<
Source: glib-2.0.dll Binary or memory string: http://www.vmware.com/0
Source: glib-2.0.dll Binary or memory string: VMware, Inc.0
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\glib-2.0.dll",#1 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544942 Sample: glib-2.0.dll Startdate: 29/10/2024 Architecture: WINDOWS Score: 23 19 AI detected suspicious sample 2->19 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        13 rundll32.exe 7->13         started        15 2 other processes 7->15 process5 17 rundll32.exe 9->17         started       
No contacted IP infos