Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2009-Jul-13 23:41:43 |
Detected languages |
English - United States
|
Debug artifacts |
rundll32.pdb
|
CompanyName | Microsoft Corporation |
FileDescription | Windows host process (Rundll32) |
FileVersion | 6.1.7600.16385 (win7_rtm.090713-1255) |
InternalName | rundll |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | RUNDLL32.EXE |
ProductName | Microsoft® Windows® Operating System |
ProductVersion | 6.1.7600.16385 |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
Contains references to system / monitoring tools:
|
Suspicious | The PE is possibly packed. | Section .text is both writable and executable. |
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Malicious | VirusTotal score: 19/71 (Scanned on 2020-03-26 15:10:25) |
MicroWorld-eScan:
Gen:Trojan.Heur.FU.cq0@aqVaNzki
Cybereason: malicious.8507d6 BitDefenderTheta: AI:Packer.0015611A1F APEX: Malicious BitDefender: Gen:Trojan.Heur.FU.cq0@aqVaNzki Avast: Win32:Evo-gen [Susp] Ad-Aware: Gen:Trojan.Heur.FU.cq0@aqVaNzki Emsisoft: Gen:Trojan.Heur.FU.cq0@aqVaNzki (B) F-Secure: Trojan.TR/Crypt.XPACK.Gen FireEye: Generic.mg.2401fff8507d67b8 SentinelOne: DFI - Malicious PE Avira: TR/Crypt.XPACK.Gen Microsoft: Trojan:Win32/Wacatac.C!ml Arcabit: Trojan.Heur.FU.E164FA GData: Gen:Trojan.Heur.FU.cq0@aqVaNzki MAX: malware (ai score=87) Cylance: Unsafe AVG: Win32:Evo-gen [Susp] CrowdStrike: win/malicious_confidence_80% (D) |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xd8 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 4 |
TimeDateStamp | 2009-Jul-13 23:41:43 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
|
Magic | PE32 |
---|---|
LinkerVersion | 9.1 |
SizeOfCode | 0x3a00 |
SizeOfInitializedData | 0x7000 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x0000178C (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x5000 |
ImageBase | 0x5c0000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 6.1 |
ImageVersion | 6.1 |
SubsystemVersion | 6.1 |
Win32VersionValue | 0 |
SizeOfImage | 0xd250 |
SizeOfHeaders | 0x400 |
Checksum | 0x11cf2 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x40000 |
SizeofStackCommit | 0xc000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
HeapSetInformation
QueryActCtxW CloseHandle SetFilePointer ReadFile CreateFileW LocalFree lstrlenA WideCharToMultiByte LocalAlloc lstrlenW GetProcAddress WaitForSingleObject CreateProcessW GetCommandLineW Wow64EnableWow64FsRedirection GetSystemDirectoryW GetNativeSystemInfo IsWow64Process GetCurrentProcess SetProcessDEPPolicy FormatMessageW GetLastError LoadLibraryExW FreeLibrary ExitProcess SetErrorMode DelayLoadFailureHook InterlockedCompareExchange LoadLibraryExA Sleep GetStartupInfoW InterlockedExchange SetUnhandledExceptionFilter GetModuleHandleA QueryPerformanceCounter GetTickCount GetCurrentThreadId GetCurrentProcessId GetSystemTimeAsFileTime TerminateProcess UnhandledExceptionFilter CompareStringW ReleaseActCtx DeactivateActCtx GetFileAttributesW SearchPathW CreateActCtxW GetModuleHandleW ActivateActCtx |
---|---|
USER32.dll |
LoadIconW
CharNextW DefWindowProcW GetClassLongW GetClassNameW GetWindow GetWindowLongW SetWindowLongW SetClassLongW CreateWindowExW RegisterClassW LoadCursorW LoadStringW MessageBoxW DestroyWindow |
msvcrt.dll |
iswalpha
_wtoi wcschr __wgetmainargs memset _vsnwprintf __set_app_type _controlfp _except_handler4_common ?terminate@@YAXXZ __p__fmode __p__commode __setusermatherr _amsg_exit _initterm _wcmdln exit _XcptFilter _exit _cexit |
imagehlp.dll |
ImageDirectoryEntryToData
|
ntdll.dll |
NtClose
NtOpenProcessToken NtSetInformationToken RtlImageNtHeader NtSetInformationProcess NtQueryInformationToken |
ole32.dll (delay-loaded) |
CoCreateInstance
CLSIDFromString CoInitializeEx CoUninitialize |
Attributes | 0x1 |
---|---|
Name | ole32.dll |
ModuleHandle | 0x507c |
DelayImportAddressTable | 0x5000 |
DelayImportNameTable | 0x404c |
BoundDelayImportTable | 0 |
UnloadDelayImportTable | 0 |
TimeStamp | 1970-Jan-01 00:00:00 |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 6.1.7600.16385 |
ProductVersion | 6.1.7600.16385 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
|
FileType |
VFT_APP
|
Language | English - United States |
CompanyName | Microsoft Corporation |
FileDescription | Windows host process (Rundll32) |
FileVersion (#2) | 6.1.7600.16385 (win7_rtm.090713-1255) |
InternalName | rundll |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | RUNDLL32.EXE |
ProductName | Microsoft® Windows® Operating System |
ProductVersion (#2) | 6.1.7600.16385 |
Resource LangID | English - United States |
---|
Characteristics |
0
|
---|---|
TimeDateStamp | 2009-Jul-13 23:41:43 |
Version | 0.0 |
SizeofData | 37 |
AddressOfRawData | 0x4978 |
PointerToRawData | 0x3d78 |
Referenced File | rundll32.pdb |
Characteristics |
0
|
---|---|
TimeDateStamp | 2009-Jul-13 23:41:43 |
Version | 565.6526 |
SizeofData | 4 |
AddressOfRawData | 0x4974 |
PointerToRawData | 0x3d74 |
Size | 0x48 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x5c5040 |
SEHandlerTable | 0x5c2680 |
SEHandlerCount | 1 |
XOR Key | 0x2cda1d12 |
---|---|
Unmarked objects | 0 |
ASM objects (VS2008 SP1 build 30729) | 1 |
Imports (VS2008 SP1 build 30729) | 11 |
Total imports | 100 |
C++ objects (VS2008 SP1 build 30729) | 3 |
C objects (VS2008 SP1 build 30729) | 21 |
Linker (VS2008 SP1 build 30729) | 1 |
Resource objects (VS2008 SP1 build 30729) | 1 |