2401fff8507d67b826e5531f21df4a90

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2009-Jul-13 23:41:43
Detected languages English - United States
Debug artifacts rundll32.pdb
CompanyName Microsoft Corporation
FileDescription Windows host process (Rundll32)
FileVersion 6.1.7600.16385 (win7_rtm.090713-1255)
InternalName rundll
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename RUNDLL32.EXE
ProductName Microsoft® Windows® Operating System
ProductVersion 6.1.7600.16385

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to system / monitoring tools:
  • RUNDLL32.EXE
  • rundll32.exe
Suspicious The PE is possibly packed. Section .text is both writable and executable.
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
  • LoadLibraryExA
 Possibly launches other programs:
  • CreateProcessW
 Uses Windows's Native API:
  • NtClose
  • NtOpenProcessToken
  • NtSetInformationToken
  • NtSetInformationProcess
  • NtQueryInformationToken
Malicious VirusTotal score: 19/71 (Scanned on 2020-03-26 15:10:25) MicroWorld-eScan: Gen:Trojan.Heur.FU.cq0@aqVaNzki
Cybereason: malicious.8507d6
BitDefenderTheta: AI:Packer.0015611A1F
APEX: Malicious
BitDefender: Gen:Trojan.Heur.FU.cq0@aqVaNzki
Avast: Win32:Evo-gen [Susp]
Ad-Aware: Gen:Trojan.Heur.FU.cq0@aqVaNzki
Emsisoft: Gen:Trojan.Heur.FU.cq0@aqVaNzki (B)
F-Secure: Trojan.TR/Crypt.XPACK.Gen
FireEye: Generic.mg.2401fff8507d67b8
SentinelOne: DFI - Malicious PE
Avira: TR/Crypt.XPACK.Gen
Microsoft: Trojan:Win32/Wacatac.C!ml
Arcabit: Trojan.Heur.FU.E164FA
GData: Gen:Trojan.Heur.FU.cq0@aqVaNzki
MAX: malware (ai score=87)
Cylance: Unsafe
AVG: Win32:Evo-gen [Susp]
CrowdStrike: win/malicious_confidence_80% (D)

Hashes

MD5 2401fff8507d67b826e5531f21df4a90
SHA1 c6a800d9bb2cc06696b3db487e0be863b6729d2b
SHA256 877e55fdd8c6c9693c75c3c1b4917bdbb27c088a5307e51987659d21964ca46f
SHA3 703ac479eaf23e45c537a0444d3c699a858fea66ae86eea63057d91fea8c8f47
SSDeep 768:ubDUdf/DL9kFFaOSRqbSEln5IyYpamDjobj8S:u3UNJkFjSRqln5IUmDjoX
Imports Hash 5563b250192680a69397d5a716aa2051

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xd8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2009-Jul-13 23:41:43
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 9.1
SizeOfCode 0x3a00
SizeOfInitializedData 0x7000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000178C (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x5000
ImageBase 0x5c0000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.1
ImageVersion 6.1
SubsystemVersion 6.1
Win32VersionValue 0
SizeOfImage 0xd250
SizeOfHeaders 0x400
Checksum 0x11cf2
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x40000
SizeofStackCommit 0xc000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 37bddd29b8940a7f0c47b153bfa7b0ca
SHA1 743360bbcb7bac3536494572bc20bf5e4ca2d0f2
SHA256 765fc658cddbbe3fd334b4e17af36d699016be70c26a1a0231bec8301c43f733
SHA3 568f49ee9a80606a0b820745e2c5b3732d34b022b11766bbb24c860a201c4626
VirtualSize 0x4000
VirtualAddress 0x1000
SizeOfRawData 0x3a00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 6.42323

.data

MD5 e7c7fe095c3e0f1a6cf87f595b2e3004
SHA1 38cc365224b59cc8952cae9d4aa99883ba8c32da
SHA256 347ad6eb5c5cfa9f12ee40e28c63a8f3dd21f329e04f8b593c2e6be0f2c9075e
SHA3 a84aed265cfee946baa05aa610b8846f68f3a830ad6b384c8965a0e23c58b375
VirtualSize 0x1000
VirtualAddress 0x5000
SizeOfRawData 0x400
PointerToRawData 0x3e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.375178

.rsrc

MD5 8c33d8a4b6115a3d0801c10f6029922e
SHA1 48c26c31ad56cc0cb6df472653d8ce0c6e6d8a9a
SHA256 cf69334a85f6a6a0403a9ddeb8f77218b71442ba4fb79ac51e6899248be54ab9
SHA3 2f09bdd0f753b2f6a8ce46c1e0ff544c6402da43cf18f777667d53faf11b8a72
VirtualSize 0x7000
VirtualAddress 0x6000
SizeOfRawData 0x6800
PointerToRawData 0x4200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.70241

.reloc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x250
VirtualAddress 0xd000
SizeOfRawData 0
PointerToRawData 0xaa00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Imports

KERNEL32.dll HeapSetInformation
QueryActCtxW
CloseHandle
SetFilePointer
ReadFile
CreateFileW
LocalFree
lstrlenA
WideCharToMultiByte
LocalAlloc
lstrlenW
GetProcAddress
WaitForSingleObject
CreateProcessW
GetCommandLineW
Wow64EnableWow64FsRedirection
GetSystemDirectoryW
GetNativeSystemInfo
IsWow64Process
GetCurrentProcess
SetProcessDEPPolicy
FormatMessageW
GetLastError
LoadLibraryExW
FreeLibrary
ExitProcess
SetErrorMode
DelayLoadFailureHook
InterlockedCompareExchange
LoadLibraryExA
Sleep
GetStartupInfoW
InterlockedExchange
SetUnhandledExceptionFilter
GetModuleHandleA
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
TerminateProcess
UnhandledExceptionFilter
CompareStringW
ReleaseActCtx
DeactivateActCtx
GetFileAttributesW
SearchPathW
CreateActCtxW
GetModuleHandleW
ActivateActCtx
USER32.dll LoadIconW
CharNextW
DefWindowProcW
GetClassLongW
GetClassNameW
GetWindow
GetWindowLongW
SetWindowLongW
SetClassLongW
CreateWindowExW
RegisterClassW
LoadCursorW
LoadStringW
MessageBoxW
DestroyWindow
msvcrt.dll iswalpha
_wtoi
wcschr
__wgetmainargs
memset
_vsnwprintf
__set_app_type
_controlfp
_except_handler4_common
?terminate@@YAXXZ
__p__fmode
__p__commode
__setusermatherr
_amsg_exit
_initterm
_wcmdln
exit
_XcptFilter
_exit
_cexit
imagehlp.dll ImageDirectoryEntryToData
ntdll.dll NtClose
NtOpenProcessToken
NtSetInformationToken
RtlImageNtHeader
NtSetInformationProcess
NtQueryInformationToken
ole32.dll (delay-loaded) CoCreateInstance
CLSIDFromString
CoInitializeEx
CoUninitialize

Delayed Imports

Attributes 0x1
Name ole32.dll
ModuleHandle 0x507c
DelayImportAddressTable 0x5000
DelayImportNameTable 0x404c
BoundDelayImportTable 0
UnloadDelayImportTable 0
TimeStamp 1970-Jan-01 00:00:00

1

Type MUI
Language English - United States
Codepage UNKNOWN
Size 0xd0
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.72113
MD5 f5ef54828a5b59ebe22f0b18441dd171
SHA1 9568c741904fb98030b7f11d785f5072ef376ebf
SHA256 505dd2e47df4b00c1b84d363c38c5218fb463e43ce8fb1b3669ec74f8607e6af
SHA3 98bc2fc1ddb0e3c6c8d7f3d94b5d4384abbcd0861f7cdf8de50ad1e9d61f89ca

1 (#2)

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x2e8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.74387
MD5 aed65d607a8655ab410d2f033622c850
SHA1 7aa5674f065b858e2a12bfaf4ec0a732a265c200
SHA256 43c76d9d41826202f598caae3e7976c97908d76aaa41736ad375b4742f769192
SHA3 fbd9471cae3716ce7366ed62037666942f508c8d89b204caed097ba528af15ae

2

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x128
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.98239
MD5 713048af6f1ad7dd0785a588cee4c9f6
SHA1 9464803a86f7b9c3726b8119f5aa1b8e1a81eb52
SHA256 144a5bc72c0c32931678d4c2e6462b0474dd4a1926a2f28ddfa92f475414529d
SHA3 855937591faa2ae97ddff78b7a496604a9d365c8bffba28b4aa661e2a14fb57b

3

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0xea8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.37715
MD5 4209c88788d6efe30f8ace0d916d8800
SHA1 7a24aab8f3f9fe3fb1a72fd7ef217a80e56b4ccb
SHA256 3f71cf459aca547acf4db8e16089e52fffa96a4171f211167ff3badc05f209d4
SHA3 64bd606d59d238bc5032526e7ed167707660d62b6670fd7ed1c314948b22711d

4

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x8a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.30581
MD5 d9d1004aa9d78a0af6e536a44194a2e9
SHA1 7aef9a3d1fe95fc1ee05c6b823a2b3eaa4a9523f
SHA256 b805209ac77826c0e7ae4b32497bf66baf8663bacc9b52f7d6097955adf4d322
SHA3 ccd355c2027a12d44826b08b0c92579fa3a225ecb99d5b6f811e691fc302b829

5

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x568
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.7441
MD5 7095152d7e9fa590d9654066ec92876b
SHA1 9837afcd3a5b25380eb7227997c798578e14ea4f
SHA256 904010df6273c2f0593085d19befee867f9c087b95cddff698003c3ec952a38e
SHA3 cac4276dc525b1496eb8b8d923d16106fea5d7bbdac1ee9d5dc924799ed9f4e4

6

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x25a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.20312
MD5 d0189d7ed1b70bc283b645ec1cd61c12
SHA1 50e05ca112cd2d39ed1fdbe70c30ba8044d350b6
SHA256 baa9c69fb69cb16d83daf81d21f3521ef1cb9d443232c1f75c87ba3640342768
SHA3 1bde94fc72c2706a850def4151b5cdbaf2e778622340cc67699c33352474aadb

7

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x10a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.45397
MD5 71f0d7ab3f85eeebdea79e9cb70fc990
SHA1 3c5f36a8c1d2027e83ed9301e3c331360f41bc47
SHA256 869c9f1c03b80ba9e7cf47e1541a9d7e25b3e60fbf0c1e8dad2307feb20c9251
SHA3 707ea931e19b65e780002ef950085b84a0d039900f5ef07117afd97904fa2605

8

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x468
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.56705
MD5 ec8f1b60b1ad4e00a3b0e30f6952d95b
SHA1 afb0fdec863fe7e4520a3e449bac7aa48071112f
SHA256 d13822168dfdb4cce93d7d3aa440ec64aca3a6651366152a74a3f105c671f89a
SHA3 69e9730cbe09f565d79ec62c920df577659f0946ef066ee244edbae3b0dfccee

100

Type RT_GROUP_ICON
Language English - United States
Codepage UNKNOWN
Size 0x76
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.81158
Detected Filetype Icon file
MD5 c0b3e66fcb80cecddabf09088b3e8188
SHA1 f112cc8039776eaebae28f9be81059bbdda5f357
SHA256 0f8e66b41e930335fa661b03299b12d6e7d8f04e7e35a117cb6966b9d1258497
SHA3 e25f05b084976b3701054e42f311d42d2ef54fe0f7ac69e7ec201d9b4f5959b6

1 (#3)

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x3a0
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.58303
MD5 69144b5cd37e5479a4227361763742c3
SHA1 00572cc873117ce67d5000132486d02f892ba093
SHA256 775f927c780cb6bdfd93a1e5636ed4e53e5483340cb65de3c69128689838d499
SHA3 0a33e2aba2af2afd584b725889361a190693f04d1adce7fc31542880a1d7c5b6

1 (#4)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x28f
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.05389
MD5 ddb9aa34d8f82456e5990e4c04c447b7
SHA1 376a989939cb5cdab92e23f90d5a7963b5e681a0
SHA256 4beedc8306c1878d6abd1e7bf9fd8aebbb95afa7591e1248ef1bfe56de6e0a45
SHA3 7ee7c5042c867084943c4bf95dc5967152cde1df0b0a67e96d780c7733d1773a

7 (#2)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x164
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.93911
MD5 83b688e57d46db200b9f9d80d4318185
SHA1 0a1b953734746f5e4ef44776873263c64a16d528
SHA256 b34eadb247a24ae33b142f1020218579435969196c817873ddde34940d83be06
SHA3 430f025cf2f0133ad90b4899920c8cd2034d1bf03b8a3d14f4828d9476ac4909

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 6.1.7600.16385
ProductVersion 6.1.7600.16385
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
CompanyName Microsoft Corporation
FileDescription Windows host process (Rundll32)
FileVersion (#2) 6.1.7600.16385 (win7_rtm.090713-1255)
InternalName rundll
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename RUNDLL32.EXE
ProductName Microsoft® Windows® Operating System
ProductVersion (#2) 6.1.7600.16385
Resource LangID English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2009-Jul-13 23:41:43
Version 0.0
SizeofData 37
AddressOfRawData 0x4978
PointerToRawData 0x3d78
Referenced File rundll32.pdb

IMAGE_DEBUG_TYPE_RESERVED

Characteristics 0
TimeDateStamp 2009-Jul-13 23:41:43
Version 565.6526
SizeofData 4
AddressOfRawData 0x4974
PointerToRawData 0x3d74

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x5c5040
SEHandlerTable 0x5c2680
SEHandlerCount 1

RICH Header

XOR Key 0x2cda1d12
Unmarked objects 0
ASM objects (VS2008 SP1 build 30729) 1
Imports (VS2008 SP1 build 30729) 11
Total imports 100
C++ objects (VS2008 SP1 build 30729) 3
C objects (VS2008 SP1 build 30729) 21
Linker (VS2008 SP1 build 30729) 1
Resource objects (VS2008 SP1 build 30729) 1

Errors

[!] Error: Could not read an IMAGE_BASE_RELOCATION! [*] Warning: Section .reloc has a size of 0!
<-- -->