ReAgent[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

ReAgent.dll
Size

942KB
MD5

0e94f9a7ab6fa4da91d794f8bce59616
SHA1

894fb489cba186a8a1e6bdafec2e52a9360bf9ad
SHA256

b38176b196d2bcae54c090f67b2ece8241695bee0275f2a9e6d594fd05540b17
SHA512

a9183b6299fd7d067fccc2840bacabec2cf3245b7f352bd08b5e176506db9f23642dbc6cc1c2e96cf9946dec8739ab4ea56856fbe2b8955f8df26ebb6dcf2a44
SSDEEP

24576:GcQeVhfHn/jD6PbpJWZ1SLvhdR7fj5lAqL:G0Vh/bWzpJ4qr9lbL

Score

1^/10

Malware Config

Signatures

Files

ReAgent.dll
.dll windows:10 windows x86 arch:x86

5146e32e59c53ac67593431909ee032f

Code Sign

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:ed
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/12/2020, 21:29

Not After

02/12/2021, 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

ab:bf:cb:47:aa:8d:d2:e7:3b:9c:58:24:67:8f:57:8a:60:0c:05:2c:83:00:42:a4:1a:04:28:a4:17:70:d1:3e
Signer

Actual PE Digest

ab:bf:cb:47:aa:8d:d2:e7:3b:9c:58:24:67:8f:57:8a:60:0c:05:2c:83:00:42:a4:1a:04:28:a4:17:70:d1:3e

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

ReAgent.pdb

Imports

msvcrt

_vsnprintf
wcsrchr
??0exception@@QAE@ABV0@@Z
_wcsicmp
_wcsnicmp
atol
_vsnwprintf
_purecall
memcmp
memcpy
_onexit
__dllonexit
_unlock
wcschr
_except_handler4_common
_atoi64
?what@exception@@UBEPBDXZ
??1exception@@UAE@XZ
??0exception@@QAE@ABQBD@Z
memmove
_initterm
_amsg_exit
_XcptFilter
_callnewh
swscanf_s
wcsnlen
wcsncmp
_strcmpi
wcsstr
strcpy_s
memcpy_s
_strnicmp
_wcslwr
_wcsrev
qsort
towupper
_wcsupr
wcstoul
memmove_s
iswspace
wcscpy_s
wcscat_s
swprintf_s
_ultow_s
_snwscanf_s
strncmp
wprintf
_vscwprintf
bsearch
iswalpha
toupper
_wtoi64
_CxxThrowException
??1type_info@@UAE@XZ
__CxxFrameHandler3
_lock
malloc
free
memset

ntdll

RtlFreeUnicodeString
RtlStringFromGUID
ZwWaitForSingleObject
ZwQueryKey
ZwReleaseMutant
ZwOpenFile
ZwOpenMutant
ZwClose
RtlAppendUnicodeToString
ZwQueryAttributesFile
RtlLengthSecurityDescriptor
RtlSetOwnerSecurityDescriptor
RtlSetDaclSecurityDescriptor
ZwCreateKey
ZwLoadKey
RtlAddAccessAllowedAceEx
RtlAllocateAndInitializeSid
RtlLengthSid
ZwDeleteValueKey
RtlFreeSid
ZwDeleteKey
ZwEnumerateKey
ZwQueryValueKey
RtlCreateAcl
ZwSetSecurityObject
ZwUnloadKey
RtlCreateSecurityDescriptor
ZwSetValueKey
ZwOpenKey
ZwAllocateUuids
LdrGetProcedureAddress
LdrGetDllHandle
RtlInitAnsiString
ZwQuerySymbolicLinkObject
ZwDeviceIoControlFile
ZwOpenSymbolicLinkObject
RtlGetVersion
NtAdjustPrivilegesToken
NtOpenProcessTokenEx
NtSetInformationThread
NtOpenThreadTokenEx
NtOpenSymbolicLinkObject
NtOpenKey
NtQuerySymbolicLinkObject
NtDeviceIoControlFile
NtQueryValueKey
NtQueryBootEntryOrder
NtTranslateFilePath
NtOpenDirectoryObject
NtQueryDirectoryObject
NtEnumerateBootEntries
RtlCompareMemory
NtYieldExecution
DbgPrintEx
RtlDowncaseUnicodeChar
NtQuerySystemInformation
RtlInitializeCriticalSection
RtlNtStatusToDosError
RtlGUIDFromString
RtlRaiseStatus
NtClose
RtlInitUnicodeString
RtlAdjustPrivilege
RtlFreeHeap
RtlGetLastNtStatus
RtlSetControlSecurityDescriptor
RtlReAllocateHeap
RtlDeleteCriticalSection
RtlDeleteResource
RtlReleaseResource
RtlAcquireResourceShared
RtlAcquireResourceExclusive
RtlInitializeResource
RtlImpersonateSelf
NtSetEaFile
NtCreateFile
NtSetInformationFile
NtQueryEaFile
NtQueryInformationProcess
NtQueryInformationFile
NtQueryVolumeInformationFile
NtQueryDirectoryFile
RtlAllocateHeap
NtOpenFile
RtlDosPathNameToNtPathName_U
NtSetSecurityObject
RtlFindAceByType
ZwQuerySystemInformation

kernel32

GetCurrentDirectoryW
GetLastError
SetLastError
GetProcessHeap
HeapFree
TlsGetValue
HeapAlloc
GetSystemDirectoryW
CreateFileW
CloseHandle
GetFileAttributesExW
GetVolumeNameForVolumeMountPointW
DeviceIoControl
FindFirstVolumeW
GetDriveTypeW
GetDiskFreeSpaceExW
FindNextVolumeW
FindVolumeClose
GetFileAttributesW
GetFullPathNameW
GetVolumePathNameW
MultiByteToWideChar
GetFileSize
ReadFile
SetEndOfFile
WriteFile
MoveFileExW
SetFileAttributesW
RemoveDirectoryW
CopyFileW
GetVersionExW
GetSystemWindowsDirectoryW
GetWindowsDirectoryW
GetTempPathW
CreateDirectoryW
GetFileSizeEx
GetModuleHandleW
GetProcAddress
GetTickCount64
ExpandEnvironmentStringsW
CompareStringW
FindFirstFileW
FindNextFileW
FindClose
GetVolumePathNamesForVolumeNameW
WritePrivateProfileStringW
GetPrivateProfileStringW
GetFileInformationByHandle
SetFirmwareEnvironmentVariableW
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
GetFirmwareEnvironmentVariableW
FreeLibrary
GetModuleHandleExW
GetHandleInformation
GetEnvironmentVariableW
GetOverlappedResult
EnterCriticalSection
LeaveCriticalSection
LocalFree
FlushFileBuffers
GetSystemInfo
VirtualQuery
GetCurrentThread
GetTempFileNameW
ReleaseSRWLockExclusive
InitializeCriticalSection
HeapReAlloc
CreateEventW
InitializeCriticalSectionAndSpinCount
GetVolumeInformationW
LockFileEx
UnlockFileEx
LocalAlloc
GetModuleFileNameW
WaitForSingleObject
WideCharToMultiByte
OpenProcess
DuplicateHandle
GetPrivateProfileSectionW
ReleaseSemaphore
SetEvent
WaitForMultipleObjects
CreateSemaphoreW
CreateThread
GetVolumeInformationByHandleW
GlobalMemoryStatusEx
GetFinalPathNameByHandleW
LoadLibraryExW
WaitForMultipleObjectsEx
CopyFileExW
CreateSemaphoreExW
LoadLibraryW
CreateProcessW
GetExitCodeProcess
SetVolumeMountPointW
GetFileTime
SetFileTime
VirtualProtect
SetFilePointerEx
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
Sleep
TlsFree
DeleteCriticalSection
TlsSetValue
TlsAlloc
LoadLibraryExA
AcquireSRWLockExclusive
SetFilePointer
RaiseException
SetThreadIdealProcessor
VirtualFree
DeleteFileW
VirtualAlloc

bcrypt

BCryptCloseAlgorithmProvider
BCryptFinishHash
BCryptGetProperty
BCryptHashData
BCryptCreateHash
BCryptOpenAlgorithmProvider
BCryptDestroyHash

cabinet

ord20
ord22
ord23

advapi32

GetSecurityDescriptorDacl
GetSecurityDescriptorControl
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
EventWriteTransfer
EventUnregister
EventRegister
ConvertStringSecurityDescriptorToSecurityDescriptorW
FreeSid
SetNamedSecurityInfoW
AddAccessAllowedAceEx
InitializeAcl
GetLengthSid
AllocateAndInitializeSid
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
InitiateSystemShutdownExW
RegDeleteTreeW
RegSaveKeyW
RegCreateKeyExW
RegDeleteKeyW
RegOpenKeyW
RegUnLoadKeyW
RegLoadKeyW
RegSetKeyValueW
RegGetValueW
RegSetValueExW
RegDeleteValueW
CryptReleaseContext
CryptDestroyHash
CryptGetHashParam
CryptHashData
CryptCreateHash
CryptAcquireContextW
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
GetSecurityDescriptorSacl
SetSecurityInfo
RegCopyTreeW
TraceMessage
RegEnumKeyExW
RegEnumValueW
RegQueryInfoKeyW
ReadEncryptedFileRaw
RevertToSelf
CloseEncryptedFileRaw
WriteEncryptedFileRaw
OpenEncryptedFileRawW
GetSecurityInfo
DuplicateTokenEx
SetThreadToken
EventWrite
OpenThreadToken
RegFlushKey
GetAclInformation
GetSecurityDescriptorLength

user32

CharUpperW
LoadStringW

imagehlp

ImageNtHeader

ole32

CoInitializeEx
CoCreateInstance
CoUninitialize
CoCreateGuid
CoInitialize
CoTaskMemFree

oleaut32

VariantClear
SysAllocString
SysFreeString
VariantInit

rpcrt4

RpcStringFreeW
UuidToStringW
UuidCreate
UuidCompare

Exports

Exports

WinRECheckGuid
WinREUseNewPBRImage
WinRE_Generalize
WinRE_Specialize
WinReClearBootApp
WinReClearError
WinReClearOemImagePath
WinReConfigureTask
WinReCopyLogFilesToRamdisk
WinReCreateLogInstance
WinReCreateLogInstanceEx
WinReDeleteLogFiles
WinReGetConfig
WinReGetCustomization
WinReGetError
WinReGetLogDirPath
WinReGetWIMInfo
WinReInitiateOfflineScanning
WinReInstall
WinReInstallOnTargetOS
WinReIsInstalledOnSystemPartition
WinReIsWimBootEnabled
WinReIsWinPE
WinReOobeInstall
WinReOpenLogInstance
WinRePostBCDRepair
WinReReinstall
WinReRepair
WinReRestoreConfigAfterPBR
WinReRestoreLogFiles
WinReSetBootApp
WinReSetConfig
WinReSetCustomization
WinReSetError
WinReSetRecoveryAction
WinReSetRecoveryActionEx
WinReSetRecoveryActionNoBcd
WinReSetTriggerFile
WinReSetupBackupWinRE
WinReSetupCheckWinRE
WinReSetupInstall
WinReSetupMigrateData
WinReSetupRestoreWinREEx
WinReSetupSetImage
WinReUnInstall
WinReUpdateLogInstance
WinReValidateRecoveryWim
winreFindInstallMedia
winreGetBinaryArch

Sections

.text
Size: 864KB - Virtual size: 864KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 88B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

5146e32e59c53ac67593431909ee032f

Code Sign

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:edCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

ab:bf:cb:47:aa:8d:d2:e7:3b:9c:58:24:67:8f:57:8a:60:0c:05:2c:83:00:42:a4:1a:04:28:a4:17:70:d1:3eSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

kernel32

bcrypt

cabinet

advapi32

user32

imagehlp

ole32

oleaut32

rpcrt4

Exports

Exports

Sections

.text Size: 864KB - Virtual size: 864KB

.data Size: 12KB - Virtual size: 15KB

.idata Size: 10KB - Virtual size: 9KB

.didat Size: 512B - Virtual size: 88B

.rsrc Size: 14KB - Virtual size: 13KB

.reloc Size: 32KB - Virtual size: 32KB

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:ed
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

ab:bf:cb:47:aa:8d:d2:e7:3b:9c:58:24:67:8f:57:8a:60:0c:05:2c:83:00:42:a4:1a:04:28:a4:17:70:d1:3e
Signer

.text
Size: 864KB - Virtual size: 864KB

.data
Size: 12KB - Virtual size: 15KB

.idata
Size: 10KB - Virtual size: 9KB

.didat
Size: 512B - Virtual size: 88B

.rsrc
Size: 14KB - Virtual size: 13KB

.reloc
Size: 32KB - Virtual size: 32KB