RunDll32[.]exe[.]7z

Sharing

Copy URL

Twitter E-mail

General

Target

RunDll32.exe.7z
Size

1.0MB
MD5

b7cecfad9f3d87e0dbc27eae5d28b15a
SHA1

9cbc1328aca4c5e0739affe6f23d448154dbfec9
SHA256

5d34615f6959c00319ba016b4a0526dae1ab4f1f6623ff9fd11dc9e1cc647fe1
SHA512

f43150eb2dbb40857358713481a25f00aba50d83c1f0c602e6323de0d073f4c8bd782faf8a37f43be4cc697788b29c1f6525c7417a2a1dd698f23623d64795ae
SSDEEP

24576:Yn0VtleXOjCri9Lb6Fp0YxRo5dP3UTmt48JKwBUpwXYD3o6yDL79:p4+z9Lb6FaYxWLP3UTZ8JKw+6YDY6E

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/RunDll32.exe

Files

RunDll32.exe.7z
.7z

Password: infected
RunDll32.exe
.exe windows x86

Password: infected

8671ba8ef8620ba5db0179bde363e97e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

libevent-2-1-7

evdns_add_server_port_with_base
evdns_base_clear_nameservers_and_suspend
evdns_base_config_windows_nameservers
evdns_base_count_nameservers
evdns_base_get_nameserver_addr
evdns_base_nameserver_ip_add
evdns_base_new
evdns_base_resolv_conf_parse
evdns_base_resolve_ipv4
evdns_base_resolve_ipv6
evdns_base_resolve_reverse
evdns_base_resolve_reverse_ipv6
evdns_base_resume
evdns_base_search_clear
evdns_base_set_option
evdns_close_server_port
evdns_server_request_add_a_reply
evdns_server_request_add_aaaa_reply
evdns_server_request_add_ptr_reply
evdns_server_request_get_requesting_addr
evdns_server_request_respond
evdns_set_log_fn
evdns_shutdown
event_active
event_add
event_base_free
event_base_get_method
event_base_loop
event_base_loopbreak
event_base_loopexit
event_base_new_with_config
event_config_free
event_config_new
event_config_set_flag
event_config_set_num_cpus_hint
event_del
event_free
event_get_version
event_new
event_pending
event_set_log_callback
event_set_mem_functions
evutil_secure_rng_add_bytes
evutil_secure_rng_get_bytes
evutil_secure_rng_init
evutil_secure_rng_set_urandom_device_file

libssp-0

__stack_chk_fail
__stack_chk_guard

advapi32

CryptAcquireContextA
CryptGenRandom

iphlpapi

GetAdaptersAddresses

kernel32

AcquireSRWLockExclusive
CloseHandle
CreateFileA
CreateFileMappingA
CreateNamedPipeA
CreateProcessA
DeleteCriticalSection
EnterCriticalSection
FindClose
FindFirstFileA
FindNextFileA
FormatMessageA
FreeLibrary
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeProcess
GetFileSize
GetLastError
GetModuleFileNameA
GetModuleHandleA
GetModuleHandleW
GetProcAddress
GetStartupInfoA
GetSystemDirectoryA
GetSystemInfo
GetSystemTimeAsFileTime
GetTickCount
GetVersionExA
GlobalMemoryStatusEx
HeapSetInformation
InitializeConditionVariable
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InitializeSRWLock
IsDBCSLeadByteEx
LeaveCriticalSection
LoadLibraryA
LocalFree
MapViewOfFile
MultiByteToWideChar
OpenProcess
QueryPerformanceCounter
QueryPerformanceFrequency
ReadFileEx
ReleaseSRWLockExclusive
SetConsoleCtrlHandler
SetHandleInformation
SetLastError
SetUnhandledExceptionFilter
Sleep
SleepConditionVariableSRW
SleepEx
TerminateProcess
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
UnmapViewOfFile
VirtualLock
VirtualProtect
VirtualQuery
WakeAllConditionVariable
WakeConditionVariable
WideCharToMultiByte
WriteFileEx

msvcrt

__getmainargs
__initenv
__mb_cur_max
__p__acmdln
__p__commode
__p__fmode
__set_app_type
__setusermatherr
_amsg_exit
_beginthread
_cexit
_endthread
_environ
_errno
_chsize
_fstati64
_fullpath
_getpid
_getwch
_initterm
_iob
_lock
_locking
_lseek
_lseeki64
_onexit
_putch
_snprintf
_stati64
_stricmp
_strnicmp
_unlock
_vsnprintf
abort
atoi
calloc
exit
fclose
feof
fgetc
fgets
fopen
fprintf
fputc
fputs
free
frexp
fwrite
islower
isspace
isupper
localeconv
malloc
memchr
memcmp
memcpy
memmove
memset
mktime
localtime
gmtime
puts
qsort
realloc
rename
setlocale
signal
strcat
strchr
strcmp
strcspn
strerror
strftime
strlen
strncmp
strncpy
strpbrk
strrchr
strspn
strstr
strtol
strtoul
vfprintf
time
wcslen
_write
_utime
_unlink
_strdup
_read
_open
_mkdir
_getcwd
_fileno
_fdopen
_close

shell32

SHGetMalloc
SHGetPathFromIDListA
SHGetSpecialFolderLocation

shlwapi

PathMatchSpecA

ws2_32

WSACleanup
WSAGetLastError
WSAIoctl
WSASetLastError
WSAStartup
accept
bind
closesocket
connect
gethostbyname
gethostname
getsockname
getsockopt
htonl
htons
ioctlsocket
listen
ntohl
ntohs
recv
send
setsockopt
socket

libcrypto-1_1

ASN1_TIME_print
BIO_ctrl
BIO_free
BIO_method_type
BIO_new
BIO_new_socket
BIO_next
BIO_number_read
BIO_number_written
BIO_s_mem
BN_bin2bn
BN_bn2bin
BN_bn2hex
BN_clear_free
BN_cmp
BN_copy
BN_dup
BN_free
BN_hex2bn
BN_is_word
BN_new
BN_num_bits
BN_set_word
BN_sub_word
BN_to_ASN1_INTEGER
CONF_modules_unload
CRYPTO_free
CRYPTO_get_ex_new_index
DH_compute_key
DH_free
DH_generate_key
DH_get0_key
DH_new
DH_set0_pqg
DH_set_length
DH_size
DH_up_ref
EC_KEY_free
EC_KEY_new_by_curve_name
ENGINE_by_id
ENGINE_ctrl_cmd_string
ENGINE_free
ENGINE_get_cipher_engine
ENGINE_get_default_DH
ENGINE_get_default_EC
ENGINE_get_default_RAND
ENGINE_get_default_RSA
ENGINE_get_digest_engine
ENGINE_get_id
ENGINE_get_name
ENGINE_load_builtin_engines
ENGINE_register_all_complete
ENGINE_set_default
ERR_func_error_string
ERR_get_error
ERR_lib_error_string
ERR_peek_error
ERR_reason_error_string
EVP_CIPHER_CTX_free
EVP_CIPHER_CTX_new
EVP_CIPHER_CTX_reset
EVP_EncryptInit
EVP_EncryptUpdate
EVP_PKEY_CTX_ctrl
EVP_PKEY_CTX_free
EVP_PKEY_CTX_new_id
EVP_PKEY_assign
EVP_PKEY_base_id
EVP_PKEY_bits
EVP_PKEY_cmp
EVP_PKEY_derive
EVP_PKEY_derive_init
EVP_PKEY_free
EVP_PKEY_get1_RSA
EVP_PKEY_new
EVP_aes_128_ctr
EVP_aes_192_ctr
EVP_aes_256_ctr
EVP_sha256
HMAC
OBJ_txt2nid
OPENSSL_sk_num
OPENSSL_sk_value
OpenSSL_version
OpenSSL_version_num
PKCS5_PBKDF2_HMAC_SHA1
RAND_OpenSSL
RAND_bytes
RAND_get_rand_method
RAND_poll
RAND_seed
RAND_set_rand_method
RAND_status
RSAPrivateKey_dup
RSAPublicKey_dup
RSA_bits
RSA_check_key
RSA_free
RSA_generate_key_ex
RSA_get0_d
RSA_get0_dmp1
RSA_get0_dmq1
RSA_get0_e
RSA_get0_factors
RSA_get0_iqmp
RSA_get0_key
RSA_get0_n
RSA_get0_p
RSA_get0_q
RSA_new
RSA_private_decrypt
RSA_private_encrypt
RSA_public_decrypt
RSA_public_encrypt
RSA_size
SHA1
SHA1_Final
SHA1_Init
SHA1_Update
SHA256
SHA256_Final
SHA256_Init
SHA256_Update
SHA512
SHA512_Final
SHA512_Init
SHA512_Update
X509_NAME_add_entry_by_NID
X509_NAME_free
X509_NAME_new
X509_STORE_add_cert
X509_cmp
X509_cmp_time
X509_dup
X509_free
X509_get0_notAfter
X509_get0_notBefore
X509_get_pubkey
X509_get_serialNumber
X509_getm_notAfter
X509_getm_notBefore
X509_new
X509_set_issuer_name
X509_set_pubkey
X509_set_subject_name
X509_set_version
X509_sign
X509_time_adj
X509_verify
d2i_RSAPrivateKey
d2i_RSAPublicKey
d2i_X509
i2d_RSAPrivateKey
i2d_RSAPublicKey
i2d_X509

libssl-1_1

OPENSSL_init_ssl
SSL_CIPHER_find
SSL_CIPHER_get_id
SSL_CIPHER_get_name
SSL_CTX_check_private_key
SSL_CTX_ctrl
SSL_CTX_free
SSL_CTX_get_cert_store
SSL_CTX_new
SSL_CTX_set_options
SSL_CTX_set_security_level
SSL_CTX_set_verify
SSL_CTX_use_PrivateKey
SSL_CTX_use_certificate
SSL_SESSION_get_master_key
SSL_accept
SSL_connect
SSL_ctrl
SSL_export_keying_material
SSL_free
SSL_get_certificate
SSL_get_client_ciphers
SSL_get_client_random
SSL_get_current_cipher
SSL_get_error
SSL_get_ex_data
SSL_get_peer_cert_chain
SSL_get_peer_certificate
SSL_get_rbio
SSL_get_server_random
SSL_get_session
SSL_get_state
SSL_get_wbio
SSL_new
SSL_pending
SSL_read
SSL_set_bio
SSL_set_cipher_list
SSL_set_ex_data
SSL_set_info_callback
SSL_set_options
SSL_set_session_secret_cb
SSL_set_verify
SSL_state_string_long
SSL_version
SSL_write
TLS_method

zlib1

deflate
deflateEnd
deflateInit2_
inflate
inflateEnd
inflateInit2_
zlibVersion

Sections

.text
Size: 2.9MB - Virtual size: 2.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 47KB - Virtual size: 46KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 803KB - Virtual size: 803KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

/4
Size: 278KB - Virtual size: 277KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 23KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 121KB - Virtual size: 120KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

8671ba8ef8620ba5db0179bde363e97e

Headers

DLL Characteristics

File Characteristics

Imports

libevent-2-1-7

libssp-0

advapi32

iphlpapi

kernel32

msvcrt

shell32

shlwapi

ws2_32

libcrypto-1_1

libssl-1_1

zlib1

Sections

.text Size: 2.9MB - Virtual size: 2.9MB

.data Size: 47KB - Virtual size: 46KB

.rdata Size: 803KB - Virtual size: 803KB

/4 Size: 278KB - Virtual size: 277KB

.bss Size: - Virtual size: 23KB

.idata Size: 14KB - Virtual size: 13KB

.CRT Size: 512B - Virtual size: 48B

.tls Size: 512B - Virtual size: 8B

.reloc Size: 121KB - Virtual size: 120KB

.text
Size: 2.9MB - Virtual size: 2.9MB

.data
Size: 47KB - Virtual size: 46KB

.rdata
Size: 803KB - Virtual size: 803KB

/4
Size: 278KB - Virtual size: 277KB

.bss
Size: - Virtual size: 23KB

.idata
Size: 14KB - Virtual size: 13KB

.CRT
Size: 512B - Virtual size: 48B

.tls
Size: 512B - Virtual size: 8B

.reloc
Size: 121KB - Virtual size: 120KB