cryptbase.dll

  • File Path: C:\Windows\system32\cryptbase.dll
  • Description: Base cryptographic API DLL

Hashes

Type Hash
MD5 34785289148E2B1DF0863B1D2CA45D7B
SHA1 9FD570887B8EAAD6CC4F040E3281717F2ECB35DF
SHA256 36DFA707D432FF6950D23A3DC72FF50401B4B59059279C2B808FB735683C29E2
SHA384 B6F884E0A8D2293F37CA29A5AEE4CA568DE542483CE389328ED463A079E0AC1D02A791A7E022D02C11E9FC0FE3EC0D87
SHA512 AE616B80AE5A901DECBAC79F70E63ACAC2081A951BE1771449C8E64587501B14400A7D3E21C152D6D64149E884D41D5516515A844893ACD6BCDCD4494E458D61
SSDEEP 384:lNPotYaw+ZNsdfm+bgmLUi/j+YkkUBTcLyuKRXWHIW1wVyDBRJ2yGNGw6lx2+tRq:lNPgz9ZNqu+lwcGuKR0/wI1P2yGYptRq
IMP 947563122A564336B8FE403CBB94531C
PESHA1 D621406946D0542683ABA9C28CEAA413F432BFE7
PE256 808A146380EFFE790A322FCD78A98B1DADBA3449129465567D6F2AA189296331

DLL Exports:

Function Name Ordinal Type
SystemFunction034 8 Exported Function
SystemFunction029 7 Exported Function
SystemFunction036 9 Exported Function
SystemFunction041 11 Exported Function
SystemFunction040 10 Exported Function
SystemFunction028 6 Exported Function
SystemFunction002 2 Exported Function
SystemFunction001 1 Exported Function
SystemFunction003 3 Exported Function
SystemFunction005 5 Exported Function
SystemFunction004 4 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: cryptbase.dll
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/69
  • VirusTotal Link: https://www.virustotal.com/gui/file/36dfa707d432ff6950d23a3dc72ff50401b4b59059279c2b808fb735683c29e2/detection/

File Similarity (ssdeep match)

File Score
C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\arm\UIAVerify\WUIALoggerXml.dll 32
C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\arm64\UIAVerify\WUIALoggerXml.dll 35
C:\Program Files (x86)\Windows Kits\10\Debuggers\arm64\dumpchk.exe 30
C:\Program Files (x86)\Windows Kits\10\Debuggers\arm64\rtlist.exe 24
C:\Program Files (x86)\Windows Kits\10\Redist\10.0.19041.0\ucrt\DLLs\x64\api-ms-win-crt-heap-l1-1-0.dll 32
C:\Program Files (x86)\Windows Kits\10\Redist\10.0.19041.0\ucrt\DLLs\x64\api-ms-win-crt-math-l1-1-0.dll 32
C:\Program Files (x86)\Windows Kits\10\Redist\10.0.19041.0\ucrt\DLLs\x64\api-ms-win-crt-multibyte-l1-1-0.dll 30
C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\api-ms-win-core-datetime-l1-1-0.dll 36
C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\api-ms-win-core-debug-l1-1-0.dll 32
C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\api-ms-win-crt-time-l1-1-0.dll 32
C:\Windows\system32\downlevel\api-ms-win-core-shutdown-l1-1-0.dll 35
C:\Windows\system32\downlevel\api-ms-win-core-sysinfo-l1-2-0.dll 41
C:\Windows\system32\downlevel\api-ms-win-core-sysinfo-l1-2-1.dll 36
C:\Windows\system32\downlevel\API-MS-Win-devices-config-L1-1-0.dll 41
C:\Windows\system32\downlevel\API-MS-Win-Eventing-ClassicProvider-L1-1-0.dll 38
C:\Windows\system32\downlevel\API-MS-Win-security-lsapolicy-l1-1-0.dll 38
C:\Windows\SysWOW64\downlevel\api-ms-win-core-heap-l1-1-0.dll 36
C:\Windows\SysWOW64\downlevel\api-ms-win-core-threadpool-legacy-l1-1-0.dll 35
C:\Windows\SysWOW64\dsrole.dll 36
C:\Windows\SysWOW64\nsi.dll 43

Possible Misuse

The following table contains possible examples of cryptbase.dll being misused. While cryptbase.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
signature-base apt_codoso.yar $c4 = “\sysprep\CRYPTBASE.dll” fullword wide CC BY-NC 4.0
signature-base apt_netwire_rat.yar $s3 = “CRYPTBASE” fullword ascii CC BY-NC 4.0
signature-base apt_thrip.yar $s1 = “C:\WINDOWS\system32\sysprep\cryptbase.dll” fullword ascii CC BY-NC 4.0
signature-base apt_thrip.yar $s2 = “C:\Windows\SysNative\sysprep\cryptbase.dll” fullword ascii CC BY-NC 4.0
signature-base apt_thrip.yar $s2 = “C:\Windows\system32\sysprep\cryptbase.dll” fullword ascii CC BY-NC 4.0
signature-base apt_thrip.yar $s3 = “\CryptBase.dll” fullword ascii CC BY-NC 4.0
signature-base apt_thrip.yar $s2 = “CryptBase.dll” fullword ascii CC BY-NC 4.0
signature-base apt_win_plugx.yar $s3 = “l%s\sysprep\CRYPTBASE.DLL” fullword wide CC BY-NC 4.0
signature-base apt_win_plugx.yar $s5 = “CRYPTBASE.DLL” fullword wide CC BY-NC 4.0
signature-base exploit_uac_elevators.yar $s5 = “CRYPTBASE.dll” wide CC BY-NC 4.0
signature-base exploit_uac_elevators.yar $s6 = “loadFrom="%systemroot%\system32\sysprep\cryptbase.DLL"” fullword ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s4 = “System32\migwiz\CRYPTBASE.dll” wide CC BY-NC 4.0

MIT License. Copyright (c) 2020 Strontic.