wdigest.dll

  • File Path: C:\Windows\SysWOW64\wdigest.dll
  • Description: Microsoft Digest Access

Hashes

Type Hash
MD5 83B7BE67B3678B1A3A8D7B4C0E35E594
SHA1 D496D41B225A28709D080AF3742B1142CA9E3FC0
SHA256 841151520A712B366096F1C60B8633D4A8EABCAC259A2A9B28515446061E9B6D
SHA384 FAA051A0CD5AF09E8FE532892832EA586A9943BA7D285085D6B55A90EACA1569A31F930785FCBA4623418F1ED79A7477
SHA512 563622D19B86150C1D91A45774551A59C1036003A2EE172DCE33FF82C50136397E5323AD6663EE1BDB38E31146B227F54C288353B61B6822AA4C651A3FBF4DC4
SSDEEP 3072:YpoFVwELVGIHytU+zmdR8ro36UBE+R1n5BG61dVoO5FXTS0Xq4++G5qrCO7i9CyC:LZGIHytDsRr66pvn5B3NSjZ+GRO9yHi
IMP A88F636C534596C3AF8FDB6796567861
PESHA1 C94EF523C1A69B1141106F506F0CEC47B1022EE7
PE256 116D1571A09ACB8383D7B933E549DE172AB4544C137917B3D7888CDDB0B79936

DLL Exports:

Function Name Ordinal Type
SpUserModeInitialize 7 Exported Function
SpLsaModeInitialize 6 Exported Function
SsiCredentialsUpdateNotify 3 Exported Function
SsiCredentialsUpdateFree 8 Exported Function
SpInstanceInit 32 Exported Function
CredentialUpdateNotify 5 Exported Function
CredentialUpdateFree 4 Exported Function
SpInitialize 1 Exported Function
CredentialUpdateRegister 2 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WDIGEST.DLL
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.388 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.388
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/68
  • VirusTotal Link: https://www.virustotal.com/gui/file/841151520a712b366096f1c60b8633d4a8eabcac259a2a9b28515446061e9b6d/detection/

Possible Misuse

The following table contains possible examples of wdigest.dll being misused. While wdigest.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
malware-ioc misp_invisimole.json "value": "%WINDIR%\\SysWOW64\\drivers\\wdigest.dll", © ESET 2014-2018
malware-ioc invisimole %WINDIR%\SysWOW64\drivers\wdigest.dll © ESET 2014-2018
malware-ioc invisimole "FlashConfigEnrollee" = "shell32 ShellExec_RunDLL "C:\Windows\SysWOW64\drivers\Rundll32.exe" "C:\Windows\SysWOW64\drivers\wdigest.dll",SpInitialize %SHELLCODE_BYTES%" © ESET 2014-2018
malware-ioc win_apt_invisimole_wdigest_chain.yml - '\Windows\SysWOW64\drivers\wdigest.dll' © ESET 2014-2018
malware-ioc win_vulnbin_wdigest.yml title: Suspicious Load Of Legitimate Wdigest.dll Library © ESET 2014-2018
malware-ioc win_vulnbin_wdigest.yml description: Detects suspicious cases of loading the legitimate Windows library wdigest.dll. Threat actors can bring the vulnerable, Windows XP version of the library to newer systems and exploit it for covert execution of malicious code. The rule detects instances when the wdigest.dll is unsigned (i.e. detected outside of the primary OS where it is signed by a catalog file), or instances when the library is loaded from outside of the default (system) folder. This technique is used by InvisiMole Group, as reported in June 2020. © ESET 2014-2018
malware-ioc win_vulnbin_wdigest.yml ImageLoaded\|endswith: '\wdigest.dll' © ESET 2014-2018
malware-ioc win_vulnbin_wdigest.yml - '\Windows\SysWOW64\wdigest.dll' © ESET 2014-2018
malware-ioc win_vulnbin_wdigest.yml - '\Windows\system32\wdigest.dll' © ESET 2014-2018
signature-base generic_dumps.yar $s2 = “wdigest.DLL” wide nocase CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.