ReAgent[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

ReAgent.dll
Size

749KB
MD5

2cc9763e629b30696c272495227af43f
SHA1

01fa47fbfb67fde7a0d1bce0fa0dc574eb65de78
SHA256

9ee6866da5cfd5870d3d000c6835b8fdd918ec3cbc1777cd9f784126fc249a59
SHA512

8283f2cca1a6b213f78ba56746c6dfc8432ca3af6d05e656f36c43b6253e437cf4885ce3a2bf992484f5e1b18aaf91b3c85491b5d1d16726822d65711bd78cb1
SSDEEP

12288:hxcqKTL/mZmAy2ZXhhnjjxrugMZyXUQ1i4TjQ+Xj1LZK/lvFGfDf20eGRotHZsS:hxc5TL/8HvjjxyVZmt1i4TjQ+Xj1LZKj

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
ReAgent.dll

Files

ReAgent.dll
.dll windows:6 windows x86 arch:x86

8e2ae90f7f4b2c24402225bf82158908

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

ReAgent.pdb

Imports

msvcrt

strncmp
wcscpy_s
wcscat_s
bsearch
wcsstr
swprintf_s
_ultow_s
_vscwprintf
iswspace
memcpy_s
wprintf
memcmp
memset
memcpy
_snwscanf_s
__CxxFrameHandler3
_onexit
__dllonexit
_unlock
_lock
_except_handler4_common
??1type_info@@UAE@XZ
_initterm
_amsg_exit
_XcptFilter
_CxxThrowException
_callnewh
malloc
_wcsnicmp
_vsnprintf
_atoi64
atol
free
wcsrchr
toupper
memmove
??0exception@@QAE@ABQBD@Z
??1exception@@UAE@XZ
?what@exception@@UBEPBDXZ
??0exception@@QAE@ABV0@@Z
_wcsicmp
_purecall
_vsnwprintf
wcsnlen
wcsncmp
towupper
_wcslwr
_wcsrev
wcschr
qsort
_wcsupr
wcstoul
memmove_s

ntdll

RtlSetOwnerSecurityDescriptor
RtlGetVersion
RtlNtStatusToDosError
RtlGUIDFromString
RtlRaiseStatus
NtClose
RtlFreeHeap
RtlAdjustPrivilege
WinSqmSetString
WinSqmSetDWORD
WinSqmIncrementDWORD
RtlInitializeCriticalSection
RtlLeaveCriticalSection
RtlDeleteCriticalSection
RtlReAllocateHeap
NtWaitForSingleObject
RtlEnterCriticalSection
RtlDeleteResource
RtlReleaseResource
RtlAcquireResourceShared
RtlAcquireResourceExclusive
RtlInitializeResource
NtQuerySystemInformation
RtlStringFromGUID
ZwQuerySystemInformation
RtlFreeUnicodeString
ZwOpenMutant
ZwReleaseMutant
ZwWaitForSingleObject
ZwClose
ZwOpenFile
ZwCreateEvent
ZwQueryAttributesFile
RtlAppendUnicodeToString
ZwDeviceIoControlFile
ZwUnloadKey
ZwCreateKey
RtlCreateAcl
RtlFreeSid
RtlSetDaclSecurityDescriptor
ZwDeleteValueKey
ZwSetValueKey
ZwQueryValueKey
RtlLengthSecurityDescriptor
ZwSetSecurityObject
RtlAddAccessAllowedAceEx
ZwLoadKey
RtlAllocateAndInitializeSid
ZwDeleteKey
ZwEnumerateKey
RtlLengthSid
RtlCreateSecurityDescriptor
ZwQueryKey
ZwOpenKey
ZwAllocateUuids
ZwQuerySymbolicLinkObject
RtlInitAnsiString
LdrGetProcedureAddress
LdrGetDllHandle
ZwOpenSymbolicLinkObject
ZwResetEvent
NtOpenProcessTokenEx
NtSetInformationThread
NtOpenThreadTokenEx
NtAdjustPrivilegesToken
NtOpenKey
NtDeviceIoControlFile
NtOpenSymbolicLinkObject
NtQuerySymbolicLinkObject
NtCreateEvent
NtQueryValueKey
NtResetEvent
NtQueryBootEntryOrder
NtTranslateFilePath
NtEnumerateBootEntries
NtYieldExecution
DbgPrintEx
RtlDowncaseUnicodeChar
RtlCompareMemory
RtlInitUnicodeString
RtlImpersonateSelf
NtQueryInformationFile
NtCreateFile
NtQueryDirectoryFile
RtlAllocateHeap
NtOpenFile
RtlDosPathNameToNtPathName_U
NtSetSecurityObject
RtlSetControlSecurityDescriptor
NtSetInformationFile

kernel32

MultiByteToWideChar
GetFileSize
SetEndOfFile
GetCurrentProcess
SetFileAttributesW
FindFirstVolumeW
GetDriveTypeW
DeviceIoControl
FindNextVolumeW
FindVolumeClose
GetFileInformationByHandle
SetFirmwareEnvironmentVariableW
GetFirmwareEnvironmentVariableW
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
GetVolumePathNamesForVolumeNameW
SetErrorMode
CopyFileExW
GetVolumePathNameW
GetModuleFileNameW
CreateActCtxW
ActivateActCtx
DeactivateActCtx
ReleaseActCtx
GetVolumeNameForVolumeMountPointW
TlsGetValue
TlsSetValue
GetTempPathW
TlsAlloc
DeleteCriticalSection
TlsFree
Sleep
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
GetHandleInformation
SetFilePointerEx
CompareStringW
CreateEventW
InitializeCriticalSectionAndSpinCount
GetOverlappedResult
EnterCriticalSection
LeaveCriticalSection
LocalFree
FlushFileBuffers
GetEnvironmentVariableW
SetThreadIdealProcessor
GetCurrentThread
GetTempFileNameW
SetFilePointer
InitializeCriticalSection
GetVolumeInformationW
FindNextFileW
FreeLibrary
LockFileEx
UnlockFileEx
DuplicateHandle
LocalAlloc
HeapReAlloc
WaitForSingleObject
ReleaseSemaphore
SetEvent
CreateThread
WaitForMultipleObjectsEx
CreateSemaphoreExW
LoadLibraryW
SetVolumeMountPointW
GetFileTime
SetFileTime
CloseHandle
CreateFileW
GetFileAttributesExW
MoveFileExW
GetSystemWindowsDirectoryW
CopyFileW
DeleteFileW
SetLastError
HeapFree
GetSystemDirectoryW
GetLastError
GetVersionExW
HeapAlloc
GetProcessHeap
LoadLibraryExA
DelayLoadFailureHook
FindFirstFileW
FindClose
GetSystemInfo
GetDiskFreeSpaceExW
ExpandEnvironmentStringsW
WriteFile
GetFileAttributesW
GetTickCount64
GetProcAddress
GetModuleHandleW
ReadFile
GetFileSizeEx
RemoveDirectoryW
LoadLibraryExW
CreateDirectoryW
VirtualAlloc
VirtualFree
GetPrivateProfileStringW
GetFullPathNameW

advapi32

GetAclInformation
RevertToSelf
ReadEncryptedFileRaw
CloseEncryptedFileRaw
WriteEncryptedFileRaw
OpenEncryptedFileRawW
GetSecurityDescriptorLength
GetSecurityDescriptorControl
GetSecurityDescriptorSacl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
ConvertStringSecurityDescriptorToSecurityDescriptorW
FreeSid
SetNamedSecurityInfoW
AddAccessAllowedAceEx
InitializeAcl
GetLengthSid
AllocateAndInitializeSid
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
RegDeleteTreeW
RegSaveKeyW
RegOpenKeyW
RegUnLoadKeyW
RegLoadKeyW
RegSetKeyValueW
SetSecurityInfo
RegCopyTreeW
EventWrite
DuplicateTokenEx
RegDeleteValueW
CryptReleaseContext
SetThreadToken
OpenThreadToken
RegFlushKey
RegEnumKeyExW
RegEnumValueW
RegQueryInfoKeyW
GetSecurityInfo
CryptDestroyHash
CryptGetHashParam
CryptHashData
CryptCreateHash
CryptAcquireContextW
RegDeleteKeyValueW
RegSetValueExW
RegQueryValueExW
RegDeleteKeyW
RegOpenKeyExW
RegCloseKey
RegCreateKeyExW
RegGetValueW
TraceMessage

user32

SendMessageW
LoadStringW

imagehlp

ImageNtHeader

ole32

CoInitializeEx
CoCreateInstance
CoUninitialize
CoCreateGuid
CoInitialize
CoTaskMemFree

oleaut32

VariantClear
SysAllocString
SysFreeString
VariantInit

shell32

ShellExecuteExW

wdscore

ConstructPartialMsgVW
CurrentIP
WdsSetupLogMessageW

rpcrt4

UuidCreate
UuidCompare
UuidToStringW
RpcStringFreeW

dismapi

DismAddDriver
DismUnmountImage
DismMountImage
DismDelete
DismGetDrivers
DismCloseSession
DismOpenSession
DismShutdown
DismInitialize
DismCommitImage

Exports

Exports

WinRECheckGuid
WinREUseNewPBRImage
WinRE_Generalize
WinRE_Specialize
WinReAddLogFile
WinReClearBootApp
WinReClearError
WinReClearOemImagePath
WinReCompleteRecovery
WinReConfigureTask
WinReCopyLogFilesToRamdisk
WinReCopySetupFiles
WinReCreateLogInstance
WinReCreateLogInstanceEx
WinReDeleteLogFiles
WinReGetConfig
WinReGetCustomization
WinReGetError
WinReGetGroupPolicies
WinReGetLogDirPath
WinReGetLogFile
WinReGetWIMInfo
WinReInstall
WinReInstallOnTargetOS
WinReIsInstallMedia
WinReIsWinPE
WinReOobeInstall
WinReOpenLogInstance
WinRePostBCDRepair
WinRePostRecovery
WinReRepair
WinReRestoreConfigAfterPBR
WinReRestoreLogFiles
WinReServiceBootUxFiles
WinReServicePbrFiles
WinReSetBootApp
WinReSetConfig
WinReSetCustomization
WinReSetError
WinReSetRecoveryAction
WinReSetRecoveryActionEx
WinReSetTriggerFile
WinReSetupBackupWinRE
WinReSetupCheckWinRE
WinReSetupInstall
WinReSetupMigrateDrivers
WinReSetupRestoreWinRE
WinReSetupRestoreWinREEx
WinReSetupSetImage
WinReUnInstall
WinReUpdateLogInstance
WinReValidateRecoveryWim
winreCollectAuxiliaryData
winreFindInstallMedia
winreGetBinaryArch

Sections

.text
Size: 682KB - Virtual size: 681KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 38KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

8e2ae90f7f4b2c24402225bf82158908

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

kernel32

advapi32

user32

imagehlp

ole32

oleaut32

shell32

wdscore

rpcrt4

dismapi

Exports

Exports

Sections

.text Size: 682KB - Virtual size: 681KB

.data Size: 12KB - Virtual size: 16KB

.idata Size: 10KB - Virtual size: 9KB

.rsrc Size: 6KB - Virtual size: 6KB

.reloc Size: 38KB - Virtual size: 37KB

.text
Size: 682KB - Virtual size: 681KB

.data
Size: 12KB - Virtual size: 16KB

.idata
Size: 10KB - Virtual size: 9KB

.rsrc
Size: 6KB - Virtual size: 6KB

.reloc
Size: 38KB - Virtual size: 37KB