ReAgent[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

ReAgent.dll
Size

242KB
MD5

ce3e942a9bf70370c21ee056fc2bfbbd
SHA1

320df43a26d63d4a74b17e491292de4e15abf7ba
SHA256

16202250270bd492d495a9b97e21e04481695034ef98168cd6c0a9ae61217233
SHA512

3e8959b067009a8d4873743ab4d3d5081a53e8c8278ee6cbd073c42263e53240d56ad1d831be6acdca58bc1f4661688cd0f679b534e0b12b0c9f4e852e353cd1
SSDEEP

6144:RVZ7tXGYYP7/a983cbwGFgh7l6Mty/W+:xtmDaWwwhM/W

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
ReAgent.dll

Files

ReAgent.dll
.dll windows:6 windows x86 arch:x86

6d6e21e643a766cddebf5645ed16140a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

ReAgent.pdb

Imports

msvcrt

??3@YAXPAX@Z
_purecall
_wcsicmp
??2@YAPAXI@Z
atol
_atoi64
_vsnprintf
_XcptFilter
malloc
_vsnwprintf
memcpy
memset
_wcslwr
free
_initterm
_amsg_exit
_except_handler4_common
_snwscanf_s
_wcsupr
swprintf_s
memmove
wcstoul
_wcsnicmp
wcscat_s
wcscpy_s
_ultow_s
wcschr
wcsrchr
wcsstr
wcsnlen
strncmp

ntdll

RtlRaiseStatus
RtlNtStatusToDosError
RtlFreeHeap
RtlInitUnicodeString
NtQuerySystemInformation
RtlFreeUnicodeString
RtlStringFromGUID
RtlAllocateHeap
NtOpenFile
NtWaitForSingleObject
NtDeviceIoControlFile
NtCreateEvent
NtOpenKey
NtEnumerateKey
WinSqmSetString
NtQueryAttributesFile
NtUnloadKey
NtLoadKey
NtAdjustPrivilegesToken
NtOpenProcessToken
NtOpenThreadToken
RtlFreeSid
RtlSetOwnerSecurityDescriptor
RtlLengthSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlCreateSecurityDescriptor
RtlAddAccessAllowedAceEx
RtlCreateAcl
RtlLengthSid
RtlAllocateAndInitializeSid
NtSetSecurityObject
NtCreateKey
NtDeleteValueKey
NtQueryValueKey
NtSetValueKey
NtDeleteKey
NtAllocateUuids
LdrGetProcedureAddress
RtlInitAnsiString
LdrGetDllHandle
NtResetEvent
RtlGetVersion
NtQuerySymbolicLinkObject
NtOpenSymbolicLinkObject
NtYieldExecution
DbgPrintEx
RtlReAllocateHeap
RtlDowncaseUnicodeChar
RtlCompareMemory
NtClose
RtlGUIDFromString
WinSqmIncrementDWORD
WinSqmSetDWORD
NtQueryKey

kernel32

GetLastError
CreateFileW
TlsFree
DeleteCriticalSection
TlsSetValue
TlsAlloc
InitializeCriticalSection
HeapAlloc
GetProcessHeap
HeapFree
GetSystemDirectoryW
DeleteFileW
GetFileAttributesExW
SetLastError
MultiByteToWideChar
LeaveCriticalSection
EnterCriticalSection
WriteFile
SetEndOfFile
ReadFile
GetFileSize
GetCurrentProcess
SetFileAttributesW
GetFileInformationByHandle
TlsGetValue
CreateDirectoryW
GetVolumeNameForVolumeMountPointW
DeviceIoControl
FindVolumeClose
FindNextVolumeW
GetDiskFreeSpaceExW
GetDriveTypeW
FindFirstVolumeW
CopyFileW
MoveFileExW
CloseHandle
GetVolumePathNameW
GetFullPathNameW
GetFileAttributesW
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
FindClose
FindNextFileW
CopyFileExW
FindFirstFileW
GetVolumePathNamesForVolumeNameW
SetErrorMode
ReleaseActCtx
DeactivateActCtx
ActivateActCtx
CreateActCtxW
GetModuleFileNameW
GetModuleHandleW
InterlockedExchange
Sleep
InterlockedCompareExchange
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
VirtualAlloc
VirtualFree
GetCurrentThread
LoadLibraryW
GetProcAddress
FreeLibrary
RemoveDirectoryW
GetVersionExW

advapi32

AllocateAndInitializeSid
DuplicateTokenEx
SetThreadToken
UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
EventWrite
EventUnregister
EventRegister
ConvertStringSecurityDescriptorToSecurityDescriptorW
OpenThreadToken
GetLengthSid
InitializeAcl
AddAccessAllowedAceEx
SetNamedSecurityInfoW
FreeSid
OpenProcessToken
LookupPrivilegeValueW
AdjustTokenPrivileges
RegSetValueExW
RegQueryValueExW
RegDeleteKeyW
RegOpenKeyExW
RegCreateKeyExW
RegCloseKey
TraceMessage

user32

SendMessageW

comctl32

ord345

imagehlp

ImageNtHeader

ole32

CoCreateInstance
CoUninitialize
CoInitializeEx

oleaut32

VariantClear
SysFreeString
SysAllocString
VariantInit

shell32

ShellExecuteExW

wdscore

ConstructPartialMsgVW
CurrentIP
WdsSetupLogMessageW

Exports

Exports

WinRE_Generalize
WinReAddLogFile
WinReCompleteRecovery
WinReCopyLogFilesToRamdisk
WinReCopySetupFiles
WinReCreateLogInstance
WinReCreateLogInstanceEx
WinReDeleteLogFiles
WinReGetConfig
WinReGetGroupPolicies
WinReGetLogFile
WinReGetWIMInfo
WinReInstall
WinReIsInstallMedia
WinReOpenLogInstance
WinRePostRecovery
WinReRestoreLogFiles
WinReSetConfig
WinReSetRecoveryAction
WinReSetRecoveryActionEx
WinReUnInstall
WinReUpdateLogInstance
winreFindInstallMedia
winreGetBinaryArch

Sections

.text
Size: 223KB - Virtual size: 222KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

6d6e21e643a766cddebf5645ed16140a

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

kernel32

advapi32

user32

comctl32

imagehlp

ole32

oleaut32

shell32

wdscore

Exports

Exports

Sections

.text Size: 223KB - Virtual size: 222KB

.data Size: 512B - Virtual size: 1KB

.rsrc Size: 7KB - Virtual size: 6KB

.reloc Size: 10KB - Virtual size: 10KB

.text
Size: 223KB - Virtual size: 222KB

.data
Size: 512B - Virtual size: 1KB

.rsrc
Size: 7KB - Virtual size: 6KB

.reloc
Size: 10KB - Virtual size: 10KB