ReAgent[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

ReAgent.dll
Size

790KB
MD5

75aa1c4f89b031585568efba1cb9508b
SHA1

a8fe6ee3ea179864e05ce48543acd9f4b8ae8429
SHA256

74c79b255714d12ab84fd8f89c804d10d8614310859ecf88d490197de562f0e9
SHA512

e0546beca1b74c740b350adbf8ec32223704b60e9ac29029174cc9fb825f90ce5e9f5de1d8d7b3a19cf0057005dce90ed53baedd4a76df3b7af32b5d7988d676
SSDEEP

12288:NecqKy7feRWg3bepgIdN4hCh56T2kuV5M3CMRxuTrMIWYqfDM3pCgEbecyPh9Jnp:Nec5ydVmCCUM9dfDM3pCTec0hTjJN2g

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
ReAgent.dll

Files

ReAgent.dll
.dll windows:6 windows x86 arch:x86

9f052c86bc9121e721976a4fc1f72ae8

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

ReAgent.pdb

Imports

msvcrt

wcsstr
swprintf_s
wcscat_s
_ultow_s
wcscpy_s
bsearch
_vscwprintf
__CxxFrameHandler3
iswspace
memcpy_s
memmove_s
wprintf
memcmp
memset
memcpy
_snwscanf_s
strncmp
_onexit
__dllonexit
_unlock
_lock
_except_handler4_common
??1type_info@@UAE@XZ
_initterm
_amsg_exit
_XcptFilter
_CxxThrowException
_callnewh
_wcsnicmp
_vsnprintf
_atoi64
atol
wcschr
toupper
memmove
??0exception@@QAE@ABQBD@Z
??1exception@@UAE@XZ
?what@exception@@UBEPBDXZ
??0exception@@QAE@ABV0@@Z
free
wcsrchr
malloc
_wcsicmp
_purecall
_vsnwprintf
swscanf_s
wcsnlen
wcsncmp
towupper
_wcslwr
_wcsrev
qsort
_wcsupr
wcstoul

ntdll

RtlInitAnsiString
RtlGetVersion
RtlNtStatusToDosError
RtlGUIDFromString
RtlRaiseStatus
NtClose
RtlFreeHeap
RtlAdjustPrivilege
WinSqmSetString
WinSqmSetDWORD
WinSqmIncrementDWORD
RtlInitializeCriticalSection
RtlLeaveCriticalSection
RtlDeleteCriticalSection
RtlReAllocateHeap
NtWaitForSingleObject
RtlEnterCriticalSection
RtlDeleteResource
RtlReleaseResource
RtlAcquireResourceShared
RtlAcquireResourceExclusive
RtlInitializeResource
NtQuerySystemInformation
RtlStringFromGUID
ZwQuerySystemInformation
RtlFreeUnicodeString
ZwOpenMutant
ZwReleaseMutant
ZwWaitForSingleObject
ZwClose
ZwOpenFile
ZwQueryAttributesFile
RtlAppendUnicodeToString
ZwUnloadKey
ZwCreateKey
RtlCreateAcl
RtlFreeSid
RtlSetDaclSecurityDescriptor
ZwDeleteValueKey
ZwSetValueKey
ZwQueryValueKey
RtlLengthSecurityDescriptor
ZwSetSecurityObject
RtlAddAccessAllowedAceEx
ZwLoadKey
RtlAllocateAndInitializeSid
ZwDeleteKey
ZwEnumerateKey
RtlLengthSid
RtlCreateSecurityDescriptor
ZwQueryKey
ZwOpenKey
RtlSetOwnerSecurityDescriptor
ZwAllocateUuids
LdrGetProcedureAddress
LdrGetDllHandle
NtOpenProcessTokenEx
NtSetInformationThread
NtOpenThreadTokenEx
NtAdjustPrivilegesToken
ZwCreateEvent
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
ZwDeviceIoControlFile
ZwResetEvent
NtOpenKey
NtDeviceIoControlFile
NtOpenSymbolicLinkObject
NtQuerySymbolicLinkObject
NtCreateEvent
NtQueryValueKey
NtResetEvent
NtQueryBootEntryOrder
NtTranslateFilePath
NtEnumerateBootEntries
NtYieldExecution
DbgPrintEx
RtlDowncaseUnicodeChar
RtlCompareMemory
RtlInitUnicodeString
RtlImpersonateSelf
NtQueryInformationFile
NtCreateFile
NtQueryDirectoryFile
RtlAllocateHeap
NtOpenFile
RtlDosPathNameToNtPathName_U
NtSetSecurityObject
RtlSetControlSecurityDescriptor
NtSetInformationFile

kernel32

FindClose
FindFirstFileW
FindNextFileW
MultiByteToWideChar
GetFileSize
SetEndOfFile
GetCurrentProcess
SetFileAttributesW
FindFirstVolumeW
GetDriveTypeW
DeviceIoControl
FindNextVolumeW
FindVolumeClose
GetFileInformationByHandle
SetFirmwareEnvironmentVariableW
GetFirmwareEnvironmentVariableW
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
GetVolumePathNamesForVolumeNameW
SetErrorMode
CopyFileExW
GetVolumePathNameW
GetModuleFileNameW
CreateActCtxW
ActivateActCtx
DeactivateActCtx
ReleaseActCtx
CreateFileW
TlsGetValue
TlsSetValue
GetFullPathNameW
TlsAlloc
DeleteCriticalSection
TlsFree
Sleep
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
GetHandleInformation
SetFilePointerEx
GetEnvironmentVariableW
CompareStringW
CreateEventW
InitializeCriticalSectionAndSpinCount
GetOverlappedResult
EnterCriticalSection
LeaveCriticalSection
LocalFree
GetPrivateProfileSectionW
FlushFileBuffers
SetThreadIdealProcessor
GetCurrentThread
GetTempFileNameW
GetDiskFreeSpaceExW
InitializeCriticalSection
LocalAlloc
GetVolumeInformationW
LoadLibraryExW
FreeLibrary
LockFileEx
UnlockFileEx
DuplicateHandle
HeapReAlloc
WaitForSingleObject
ReleaseSemaphore
SetEvent
CreateThread
WaitForMultipleObjectsEx
CreateSemaphoreExW
LoadLibraryW
SetVolumeMountPointW
GetFileTime
SetFileTime
GetFileAttributesExW
MoveFileExW
GetSystemWindowsDirectoryW
CopyFileW
DeleteFileW
SetLastError
HeapFree
GetSystemDirectoryW
GetLastError
GetVersionExW
HeapAlloc
GetProcessHeap
LoadLibraryExA
DelayLoadFailureHook
GetSystemInfo
ExpandEnvironmentStringsW
GetFileAttributesW
WriteFile
GetTickCount64
GetProcAddress
GetModuleHandleW
ReadFile
GetFileSizeEx
RemoveDirectoryW
CreateDirectoryW
GetTempPathW
SetFilePointer
CloseHandle
VirtualAlloc
VirtualFree
GetPrivateProfileStringW
GetVolumeNameForVolumeMountPointW

advapi32

GetSecurityDescriptorDacl
OpenEncryptedFileRawW
GetAclInformation
GetSecurityDescriptorLength
GetSecurityDescriptorControl
GetSecurityDescriptorSacl
CloseEncryptedFileRaw
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
RegFlushKey
UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
ConvertStringSecurityDescriptorToSecurityDescriptorW
FreeSid
SetNamedSecurityInfoW
AddAccessAllowedAceEx
InitializeAcl
GetLengthSid
AllocateAndInitializeSid
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
RegDeleteTreeW
RegSaveKeyW
RegOpenKeyW
RegSetKeyValueW
RegDeleteValueW
CryptReleaseContext
CryptDestroyHash
CryptGetHashParam
SetSecurityInfo
RegCopyTreeW
EventWrite
DuplicateTokenEx
CryptHashData
CryptCreateHash
SetThreadToken
OpenThreadToken
RegEnumKeyExW
RegEnumValueW
RegQueryInfoKeyW
GetSecurityInfo
RevertToSelf
ReadEncryptedFileRaw
CryptAcquireContextW
RegUnLoadKeyW
RegLoadKeyW
RegDeleteKeyValueW
RegSetValueExW
RegQueryValueExW
RegDeleteKeyW
RegOpenKeyExW
RegCloseKey
RegCreateKeyExW
RegGetValueW
TraceMessage
WriteEncryptedFileRaw

user32

LoadStringW
SendMessageW
CharUpperW

imagehlp

ImageNtHeader

ole32

CoInitializeEx
CoCreateInstance
CoUninitialize
CoCreateGuid
CoInitialize
CoTaskMemFree

oleaut32

VariantClear
SysAllocString
SysFreeString
VariantInit

shell32

ShellExecuteExW

wdscore

ConstructPartialMsgVW
CurrentIP
WdsSetupLogMessageW

rpcrt4

UuidCompare
UuidToStringW
RpcStringFreeW
UuidCreate

dismapi

DismAddDriver
DismUnmountImage
DismMountImage
DismDelete
DismGetDrivers
DismCloseSession
DismOpenSession
DismShutdown
DismInitialize
DismCommitImage

Exports

Exports

WinRECheckGuid
WinREUseNewPBRImage
WinRE_Generalize
WinRE_Specialize
WinReAddLogFile
WinReClearBootApp
WinReClearError
WinReClearOemImagePath
WinReCompleteRecovery
WinReConfigureTask
WinReCopyLogFilesToRamdisk
WinReCopySetupFiles
WinReCreateLogInstance
WinReCreateLogInstanceEx
WinReDeleteLogFiles
WinReGetConfig
WinReGetCustomization
WinReGetError
WinReGetGroupPolicies
WinReGetLogDirPath
WinReGetLogFile
WinReGetWIMInfo
WinReInstall
WinReInstallOnTargetOS
WinReIsInstallMedia
WinReIsWimBootEnabled
WinReIsWinPE
WinReOobeInstall
WinReOpenLogInstance
WinRePostBCDRepair
WinRePostRecovery
WinReRepair
WinReRestoreConfigAfterPBR
WinReRestoreLogFiles
WinReServiceBootUxFiles
WinReServicePbrFiles
WinReSetBootApp
WinReSetConfig
WinReSetCustomization
WinReSetError
WinReSetRecoveryAction
WinReSetRecoveryActionEx
WinReSetTriggerFile
WinReSetupBackupWinRE
WinReSetupCheckWinRE
WinReSetupInstall
WinReSetupMigrateDrivers
WinReSetupRestoreWinRE
WinReSetupRestoreWinREEx
WinReSetupSetImage
WinReUnInstall
WinReUpdateLogInstance
WinReValidateRecoveryWim
winreCollectAuxiliaryData
winreFindInstallMedia
winreGetBinaryArch

Sections

.text
Size: 732KB - Virtual size: 732KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 52B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

9f052c86bc9121e721976a4fc1f72ae8

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

kernel32

advapi32

user32

imagehlp

ole32

oleaut32

shell32

wdscore

rpcrt4

dismapi

Exports

Exports

Sections

.text Size: 732KB - Virtual size: 732KB

.data Size: 12KB - Virtual size: 16KB

.idata Size: 10KB - Virtual size: 9KB

.didat Size: 512B - Virtual size: 52B

.rsrc Size: 6KB - Virtual size: 6KB

.reloc Size: 28KB - Virtual size: 27KB

.text
Size: 732KB - Virtual size: 732KB

.data
Size: 12KB - Virtual size: 16KB

.idata
Size: 10KB - Virtual size: 9KB

.didat
Size: 512B - Virtual size: 52B

.rsrc
Size: 6KB - Virtual size: 6KB

.reloc
Size: 28KB - Virtual size: 27KB