wdigest.dll

  • File Path: C:\Windows\system32\wdigest.dll
  • Description: Microsoft Digest Access

Hashes

Type Hash
MD5 F5CCAC2D4D47A7FD60FCF26588B72C66
SHA1 4A7C1B25E888E741BDD145BF92BAF730C878991B
SHA256 BAB8CB5ACDAB6CAA1AA7A09BA24436C1CA5D4250D690681C5960ADA9B2F0DCEE
SHA384 F53980ED0F267A65154BA2BDE3D5892E10601BCD8C16DF1DF956F1855FC401FD4F4810D172C856F086B9C638E9439394
SHA512 ACDE9B7DE1B651531A2D6E0B406A256EE14A8288B72F4C32F7E2DFE85DDD3D9D86C1C7A359FE30690C42C607CD940CEFBD94728EBB28E1F66EF8798935896459
SSDEEP 6144:dsB5kp6Nup5BmrKIrM4/MRwcVhcrV+le2TO:dsBOpKrKGMpOcV+842i
IMP F8D88D9A3BF9BBD4F5E25177ECE786C6
PESHA1 92714A9F96EA525B5BF89583E8A9C443082CD35B
PE256 EAF0662A4BE3E863EAE79D0D4108061707E4F1394C6997A93FE42782060F2619

DLL Exports:

Function Name Ordinal Type
SpUserModeInitialize 7 Exported Function
SpLsaModeInitialize 6 Exported Function
SsiCredentialsUpdateNotify 3 Exported Function
SsiCredentialsUpdateFree 8 Exported Function
SpInstanceInit 32 Exported Function
CredentialUpdateNotify 5 Exported Function
CredentialUpdateFree 4 Exported Function
SpInitialize 1 Exported Function
CredentialUpdateRegister 2 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WDIGEST.DLL
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.388 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.388
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/67
  • VirusTotal Link: https://www.virustotal.com/gui/file/bab8cb5acdab6caa1aa7a09ba24436c1ca5d4250d690681c5960ada9b2f0dcee/detection/

Possible Misuse

The following table contains possible examples of wdigest.dll being misused. While wdigest.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
malware-ioc misp_invisimole.json "value": "%WINDIR%\\SysWOW64\\drivers\\wdigest.dll", © ESET 2014-2018
malware-ioc invisimole %WINDIR%\SysWOW64\drivers\wdigest.dll © ESET 2014-2018
malware-ioc invisimole "FlashConfigEnrollee" = "shell32 ShellExec_RunDLL "C:\Windows\SysWOW64\drivers\Rundll32.exe" "C:\Windows\SysWOW64\drivers\wdigest.dll",SpInitialize %SHELLCODE_BYTES%" © ESET 2014-2018
malware-ioc win_apt_invisimole_wdigest_chain.yml - '\Windows\SysWOW64\drivers\wdigest.dll' © ESET 2014-2018
malware-ioc win_vulnbin_wdigest.yml title: Suspicious Load Of Legitimate Wdigest.dll Library © ESET 2014-2018
malware-ioc win_vulnbin_wdigest.yml description: Detects suspicious cases of loading the legitimate Windows library wdigest.dll. Threat actors can bring the vulnerable, Windows XP version of the library to newer systems and exploit it for covert execution of malicious code. The rule detects instances when the wdigest.dll is unsigned (i.e. detected outside of the primary OS where it is signed by a catalog file), or instances when the library is loaded from outside of the default (system) folder. This technique is used by InvisiMole Group, as reported in June 2020. © ESET 2014-2018
malware-ioc win_vulnbin_wdigest.yml ImageLoaded\|endswith: '\wdigest.dll' © ESET 2014-2018
malware-ioc win_vulnbin_wdigest.yml - '\Windows\SysWOW64\wdigest.dll' © ESET 2014-2018
malware-ioc win_vulnbin_wdigest.yml - '\Windows\system32\wdigest.dll' © ESET 2014-2018
signature-base generic_dumps.yar $s2 = “wdigest.DLL” wide nocase CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.