Investigator:Nguyen Vu

Date:14/05/2025

1. Executive Summary
This report presents the static and behavioral analysis of the suspicious DLL file
ncobjapi.dll. The file, flagged by 37 out of 70 antivirus engines on VirusTotal, is
identified as a 64-bit Portable Executable (PE) with multiple indicators of
malicious activity. It exhibits capabilities commonly associated with backdoors or
droppers, including encrypted payload handling, dynamic API resolution, anti-
analysis techniques, and potential credential theft via LSASS dumping. The malware
uses legitimate Windows APIs and obfuscation to evade detection and maintain
persistence. Static inspection reveals references to security software processes,
cryptographic functions, and WMI components, indicating possible lateral movement
or surveillance functionalities. Although not packed, the file is engineered to
execute malicious code in-memory and is likely part of a larger intrusion
framework.
2. Identification
2.1 Filename:ncobjapi.dll
File size: 134.00 KB (137216 bytes)
File type: PE64
2.2 MAC timestamps
Creat: Mon Mar 28 03:49:02 2022 (UTC)
Modified: Mon Mar 28 03:49:02 2022 (UTC)
Accessed: Thu May 15 01.12.35 2025 (UTC)
2.3 Hashes
md5: 5137bc9bdaf804c255c2f14578ae20f0
sha1: 2416d69c15c80f901627ed7ba3b30cd43e523642
sha256:
ae6920ddc0f3b9a2c856a03c87d8828b1f7b502bd43c4b91b026050d87046bab
2.4 Signing Information (Certificates)
Microsoft Linker 14.29 | Visual Studio 2015
Characteristic:
Address-Space-Layout-Randomization (ASLR),0x0040,true
Data Execution Prevention (DEP),0x0100,true
Structured-Exception Handling (SEH),0x0000,true
High-Entropy,0x0020,true
2.5 Packer info
"Not Packed"
Offset Size Entropy Status Name
0000000000000000 0000000000000400 3.05353 not packed PE Header
0000000000000400 0000000000011800 6.47980 not packed Section(0)['.text']
0000000000011c00 000000000000c400 4.79945 not packed Section(1)['.rdata']
000000000001e000 0000000000001a00 1.08058 not packed Section(2)['.data']
000000000001fa00 0000000000001000 4.95284 not packed Section(3)['.pdata']
0000000000020a00 0000000000000200 1.99214 not packed Section(4)['_RDATA']
0000000000020c00 0000000000000200 2.53021 not packed Section(5)['.rsrc']
0000000000020e00 0000000000000a00 4.92569 not packed Section(6)['.reloc']
2.6 Aliases
Kaspersky: Trojan.Win64.Agentb.ksyc
Bkav Pro: W32.Common.23BB99A6
Tencent: Malware.Win32.Gencirc.13dad11b
BitDefender: Trojan.GenericKD.67852822
AVG: Win64:Trojan-gen
Total 37/70 Community score by VirusTotal

3. Capabilities
contain obfuscated stackstrings │
anti-analysis/obfuscation/string/stackstring
create new key via CryptAcquireContext │ data-manipulation/encryption
 encrypt or decrypt via WinCrypt │ data-manipulation/encryption
encrypt data using AES via WinAPI │
data-manipulation/encryption/aes
contains PDB path │ executable/pe/pdb
get common file path (3 matches) │ host-interaction/file-system
delete file │
host-interaction/file-system/delete
get file size │
host-interaction/file-system/meta
move file │
host-interaction/file-system/move
read file on Windows │
host-interaction/file-system/read
get token membership │ host-interaction/session
create thread │ host-interaction/thread/create
link function at runtime on Windows (11 matches) │ linking/runtime-linking
link many functions at runtime │ linking/runtime-linking
execute shellcode via indirect call │ load-code/shellcode

4. Dependencies
In module KERNEL32.dll I found those common things in some malware
`Sleep` | Pauses
execution – commonly used for **anti-sandbox or anti-analysis** techniques.
|
`VirtualProtect` | Changes memory
protection – often used to **decrypt or execute shellcode** in memory.
|
`CreateThread`, `GetProcAddress`, `LoadLibraryA` | Used to
**dynamically load and execute malicious code** (e.g., DLL injection, reflective
loading). |
`GetModuleFileNameA`, `GetCurrentProcessId`, `GetCurrentThreadId` | Retrieves
process/thread info – often used for **process hiding or anti-debugging**.
|
`DeleteFileA`, `ReadFile`, `WriteFile`, `CreateFileA/W` | Direct file
manipulation – used to **self-delete**, write logs, or drop malicious files.
|
`RtlCaptureContext`, `RtlLookupFunctionEntry`, `RtlVirtualUnwind` | Low-level
`ntdll.dll` APIs – used in **advanced exception handling or hiding code via stack
unwinding**. |
`UnhandledExceptionFilter` | Common
technique to **hide and trigger payloads through exception handling**.
|
`HeapSize`, `FlushFileBuffers` | Memory and I/O
management – sometimes used to **conceal actual malicious behavior**.
|
=> It may use in-memory execution techniques (e.g., reflective DLL loading).
This behavior is very consistent with a backdoor or loader.
5. Static Analysis
5.1 Top level components
_RDATA section: Slightly unusual — might be: Compiler artifact or may
be used for storing shellcode/data in a stealthy way
All sections show expected permissions and sizes, and nothing stands
out as packed or encrypted.
5.2 Execution points of entry
Entry point: 0x2650
Image Base 0x180000000
Absolute Entry Add: 0x180002650
Mapped Section: .text
Subsystem: 0x0002
 Calculation: Offset = 0x1A50
At offset 0x1A50 :

5.3 Embedded strings

5.3.1. API Function names:
Name | Actions
CreateThread, loadLibraryA | Dynamic loading & execution

VirtualProtect, HeapAlloc | Memory protection & allocation – common in

unpacking shellcode
GetProcAddress, FreeLibrary | Dynamically resolving or releasing modules
createFileA, DeleteFileA | File creation and deletion – possible file
dropper behavior
Sleep, IsDebuggerPresent | Anti-analysis & sandbox evasion
UnhandledExceptionFilter, RtlUnwindEx | Payload execution via exception handling

5.3.2. Dll dependencies:

Name | Implication
KERNEL32.dll | Basic system operations
ADVAPI32.dll | Registry, security tokens, crypto
RPCRT4.dll | Remote Procedure Call – possible C2
OLE32.dll | COM interaction – often seen in malware
SHLWAPI.dll | Shell helper functions
MSCOREE.dll | Suggests interaction with .NET runtime

5.3.3. Windows Managerment Instrumentation (WMI)

WmiCommitObject
WmiAddObjectProp
WmiCreateObject
WmiDestroyObject
WmiEventSourceConnect
WmiSetAndCommitObject
=> These Dll may be designed to interface with or extend wmiprvse.exe => code
injection or data exfiltration via WMI.

5.3.4. Cryptographic APIs

CryptAcquireContextA
CryptImportKey
CryptDecrypt
CryptSetKeyParam
=> configuration, payloads, or C2 traffic

5.3.5. Process & AV-Related Strings

MsMpEng.exe (Microsoft Defender)
Mcshield.exe (McAfee)
TMBMSRV.exe (Trend Micro)

rtvscan.exe (Symantec)

ccSetMgr.exe (Symantec)

ekrn.exe (ESET)

=> Indicate AV evasion, process injection, or target enumeration.

5.5 File contents

5.5.1 package contents
5.5.2 files created/deployed on the system
** C:\Users\123\Desktop\UseWhite\SSPDumpLsass\LoadDumpPass\x64\Release\ncobjapi.pdb
** => LSASS dumper component (or credential theft)

8. Conclusion
The DLL ncobjapi.dll demonstrates clear traits of a sophisticated malware
component. Its use of Windows cryptographic APIs, memory manipulation, exception-
based payload delivery, and references to antivirus services strongly suggest its
purpose is to evade defenses and operate stealthily within the host system. The
presence of WMI-related strings implies an ability to interact with system
management features, potentially for reconnaissance or exfiltration. Moreover, the
file path linked to LSASS dumping tools signals a high risk of credential theft.
Given the evidence, this file should be classified as a high-threat agent, most
likely used as a loader or backdoor within a broader attack campaign. Immediate
isolation, further behavioral sandboxing, and threat hunting within the network
environment are recommended.