rundl.exe

First submission 2024-10-16 17:36:03 Last sumbission 2024-10-16 17:37:05

File details

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Mime type:	application/x-dosexec
File size:	470.5 KB (481792 bytes)
Compile time:	2022-11-16 20:11:43
MD5:	0bc532538aea8f63c70ed009d4290c73
SHA1:	9ef7d7b4174618bd053df4b86453102709804eb7
SHA256:	fc074a5ed883b127fe005d14e1e0b870a93318ed1840fd94e9771458a19a229e
Import Hash :	658143f158f14e9bff661e164dfff376
Sections 7	.text .rdata .data .tls .gfids .rsrc .reloc
Directories 5	import resource debug tls relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	60/77 VT report date: 2024-08-25 18:32:02
Malware Type 1	trojan
Threat Type 3	remcos rescoms ratx

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://blaconmachine.com/wrdl/rundl.exe	blaconmachine.com	2024-10-16 17:36:03

PE Sections 1 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x544db	345600	da327576cf53b8d82e8ffe587c4740e9d6e660fc	3b313dd7e0b88bc4f20b027608872bb4
.rdata	0x56000	0x1749c	95744	95ccc53a34e649ac5c80fc3a436f296782c2ef67	ee53e60b1edc667785b9d9a9b066e70a
.data	0x6e000	0x5c2c	3584	83bd7dd6fcad1d6db972c3655746e854604ac23f	a4f9cb337e6b61f2cfff51c01b633917
.tls	0x74000	0x9	512	aa0d33a0c854e073439067876e932688b65cb6a9	1f354d76203061bfdd5a53dae48d5435
.gfids	0x75000	0x230	1024	545d0d24902e034ccbf85f77d48719f3ffd0cdba	24ce52767f7213e77eec2ab2a4e6e7be
.rsrc	0x76000	0x4b28	19456	1981f98ada7e92ee6776fc4ca5af9de1ff508aa6	bbb1c13546db0e26532dc09d056f3be2
.reloc	0x7b000	0x39b4	14848	a016d710e5b3a73660cfede9f1d3086c8894f046	75a063302dfdd9fb0dcfea0c10ae3f1f

PE Resources 3

Name	Language	Sublanguage	Offset	Size	Data
RT_ICON	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x78024	9640	PE Resource: RT_ICON - Data (0` %zzwwvvuuuurrrrpp}oo\|nnzmmxmmskkvqqs'%%f^^333RRRQQQQQQQQQQQQKMMqqJIIPPPQQQQQQQQQSSSCCCvvvttttttttttttrssrrdccttttttttttttwww"""\\\666lllCCCdddfffdddcccbbb^__jbbwwFGGKKKKKKJJJKKK???vvuyyxxwwxxlccyllrrSQQ{\|\|EFFuuu&&NQ\|}~ 02Cm$ Sb (?V+WTn%5Is' U!I2d3f _ EF< %7;<H25' #d!fL j%Y]^N`Q>]^ TSh ga [9 3bv"-K-,- in$!%x,U - p7)534 L;k!G\|1<j$YO2h"$<h:l!Fm!ep#e & '$ #$!'+/)(0, !#.0132,$-04544>v(Y&() Q/ Vk$7q'~)0u : A>1h".3-7w#5'/#@ 1u%\|)y-j$/Un% D{,k4- h{w'c1\|&\|+S \|,}+c{(3 _6Yv)c!99 )+F,&!!8U75 +!! " '2! ~\|}\|{zxwxvwvtss}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}COMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMOCss[gg[[[
RT_RCDATA	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x7a5cc	1306	PE Resource: RT_RCDATA - Data Aum;t.6."] p`&ieS>%S`8\ IF\jMm{q?U>Wg 8mx=q>gt/V1h_cjBob'3DT/,8o:2;kR>t%]?(y# "^B6!!"e0]T4/Ej) >F%AxfgJ}u c,,760z# dY\|hUcK!& hX%P'T1 `=Ul}unso)p5_j(?QSl_Iv<aR$~y[DLWrgU%ZyTZJ(xM=5 88RzHQ4h sX(TewI8b$n"w#hPbfzbeO>>WEG,: cSKgFt Oy U bsf3))(\|[,qS~2Vrb_XBsxA=fjFo/09jhdtoG^"'1o=$w>hbd@~-m(T+iYsf)>C# _ Pl_7_@O^4_qq^ wjAmt-C841"M#P#G\[Z\PGa`E F\~!b_HKq1A`;MrJYGeA6 -oxF@m(,D(_MRs! !p,Noxa&B_DY(}hTv]dY`4z`h YFsrX*;@?u<uXC)AQX;E(x9UA9Oq lI[B,.yo{kT/;GuAy$zT FfDIQ't#dJ 1g"z{s ?r}RfXk{`cT`#"l>DcO;_=j3~Aqg
RT_GROUP_ICON	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x7aae8	62

Name

Language

Sublanguage

Offset

Size

Data

RT_ICON

LANG_ENGLISH

SUBLANG_ENGLISH_US

0x78024

9640

RT_RCDATA

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x7a5cc

1306

RT_GROUP_ICON

LANG_ENGLISH

SUBLANG_ENGLISH_US

0x7aae8

Packers detected 2

Microsoft Visual C++ 8
VC8 -> Microsoft Corporation

Anti debug functions 9

GetLastError
GetWindowThreadProcessId
IsDebuggerPresent
IsProcessorFeaturePresent
Process32FirstW
Process32NextW
RaiseException
TerminateProcess
UnhandledExceptionFilter

Strings analysis - File found

Database
\key3.db
Text
\sysinfo.txt
license_code.txt
Library
mscoree.dll
KERNEL32.dll
SHLWAPI.dll
WINMM.dll
ADVAPI32.dll
ntdll.dll
USER32.dll
PSAPI.DLL
WININET.dll
SHELL32.dll
Powrprof.dll
gdiplus.dll
urlmon.dll
WS2_32.dll
GDI32.dll

Strings analysis - Possible URLs found 1

http://geoplugin.net/json.gp

Import functions

gdiplus.dll 9 urlmon.dll 2 WINMM.dll 10 WININET.dll 4 GDI32.dll 9 SHELL32.dll 4 KERNEL32.dll 157 ADVAPI32.dll 33 SHLWAPI.dll 3 WS2_32.dll 17 USER32.dll 43

Function	Address	Souspicious	Anti Debug
GdipLoadImageFromStream	0x456484
GdiplusStartup	0x456488
GdipGetImageEncoders	0x45648c
GdipSaveImageToStream	0x456490
GdipFree	0x456494
GdipDisposeImage	0x456498
GdipAlloc	0x45649c
GdipCloneImage	0x4564a0
GdipGetImageEncodersSize	0x4564a4

Function	Address	Souspicious	Anti Debug
URLOpenBlockingStreamW	0x4564ac
URLDownloadToFileW	0x4564b0

Function	Address	Souspicious	Anti Debug
waveInUnprepareHeader	0x456410
waveInClose	0x456414
mciSendStringW	0x456418
waveInOpen	0x45641c
PlaySoundW	0x456420
waveInStart	0x456424
waveInStop	0x456428
waveInPrepareHeader	0x45642c
waveInAddBuffer	0x456430
mciSendStringA	0x456434

Function	Address	Souspicious	Anti Debug
InternetOpenUrlW	0x4563fc
InternetCloseHandle	0x456400
InternetReadFile	0x456404
InternetOpenW	0x456408

Function	Address	Souspicious	Anti Debug
SelectObject	0x456088
CreateCompatibleDC	0x45608c
StretchBlt	0x456090
GetDIBits	0x456094
DeleteDC	0x456098
DeleteObject	0x45609c
CreateDCA	0x4560a0
GetObjectA	0x4560a4
CreateCompatibleBitmap	0x4560a8

Function	Address	Souspicious	Anti Debug
ShellExecuteExA	0x456328
Shell_NotifyIconA	0x45632c
ExtractIconA	0x456330
ShellExecuteW	0x456334

Function	Address	Souspicious	Anti Debug
CopyFileW	0x4560b0
CreateMutexA	0x4560b4
GetLocaleInfoA	0x4560b8
CreateToolhelp32Snapshot	0x4560bc
OpenMutexA	0x4560c0
Process32NextW	0x4560c4
Process32FirstW	0x4560c8
VirtualProtect	0x4560cc
SetLastError	0x4560d0
VirtualFree	0x4560d4
VirtualAlloc	0x4560d8
GetNativeSystemInfo	0x4560dc
HeapAlloc	0x4560e0
GetProcessHeap	0x4560e4
FreeLibrary	0x4560e8
IsBadReadPtr	0x4560ec
GetTempPathW	0x4560f0
OpenProcess	0x4560f4
lstrcatW	0x4560f8
GetCurrentProcessId	0x4560fc
GetTempFileNameW	0x456100
GetCurrentProcess	0x456104
GetSystemDirectoryA	0x456108
GlobalAlloc	0x45610c
GlobalLock	0x456110
GetTickCount	0x456114
GlobalUnlock	0x456118
WriteProcessMemory	0x45611c
ResumeThread	0x456120
GetThreadContext	0x456124
ReadProcessMemory	0x456128
CreateProcessW	0x45612c
SetThreadContext	0x456130
LocalAlloc	0x456134
GlobalFree	0x456138
MulDiv	0x45613c
SizeofResource	0x456140
GetConsoleScreenBufferInfo	0x456144
SetConsoleTextAttribute	0x456148
GetStdHandle	0x45614c
SetFilePointer	0x456150
FindResourceA	0x456154
LockResource	0x456158
LoadResource	0x45615c
LocalFree	0x456160
SetConsoleOutputCP	0x456164
FormatMessageA	0x456168
AllocConsole	0x45616c
GetModuleFileNameA	0x456170
GetLongPathNameW	0x456174
QueryPerformanceFrequency	0x456178
QueryPerformanceCounter	0x45617c
EnterCriticalSection	0x456180
LeaveCriticalSection	0x456184
InitializeCriticalSection	0x456188
DeleteCriticalSection	0x45618c
HeapSize	0x456190
WriteConsoleW	0x456194
SetStdHandle	0x456198
SetEnvironmentVariableW	0x45619c
SetEnvironmentVariableA	0x4561a0
FreeEnvironmentStringsW	0x4561a4
GetEnvironmentStringsW	0x4561a8
GetCommandLineW	0x4561ac
GetCommandLineA	0x4561b0
GetOEMCP	0x4561b4
IsValidCodePage	0x4561b8
FindFirstFileExA	0x4561bc
ReadConsoleW	0x4561c0
GetConsoleMode	0x4561c4
GetConsoleCP	0x4561c8
FlushFileBuffers	0x4561cc
GetFileType	0x4561d0
GetTimeZoneInformation	0x4561d4
EnumSystemLocalesW	0x4561d8
GetUserDefaultLCID	0x4561dc
IsValidLocale	0x4561e0
GetTimeFormatW	0x4561e4
GetDateFormatW	0x4561e8
HeapReAlloc	0x4561ec
GetACP	0x4561f0
GetModuleHandleExW	0x4561f4
MoveFileExW	0x4561f8
RtlUnwind	0x4561fc
RaiseException	0x456200
LoadLibraryExW	0x456204
GetCPInfo	0x456208
GetStringTypeW	0x45620c
GetLocaleInfoW	0x456210
LCMapStringW	0x456214
CompareStringW	0x456218
TlsFree	0x45621c
TlsSetValue	0x456220
TlsGetValue	0x456224
ExpandEnvironmentStringsA	0x456228
FindNextFileA	0x45622c
FindFirstFileA	0x456230
GetFileSize	0x456234
TerminateThread	0x456238
GetLastError	0x45623c
SetFileAttributesW	0x456240
GetModuleHandleA	0x456244
CreateDirectoryW	0x456248
RemoveDirectoryW	0x45624c
MoveFileW	0x456250
SetFilePointerEx	0x456254
GetLogicalDriveStringsA	0x456258
DeleteFileW	0x45625c
DeleteFileA	0x456260
GetFileAttributesW	0x456264
FindClose	0x456268
lstrlenA	0x45626c
GetDriveTypeA	0x456270
FindNextFileW	0x456274
GetFileSizeEx	0x456278
FindFirstFileW	0x45627c
ExitProcess	0x456280
GetProcAddress	0x456284
LoadLibraryA	0x456288
CreateProcessA	0x45628c
PeekNamedPipe	0x456290
CreatePipe	0x456294
TerminateProcess	0x456298
ReadFile	0x45629c
HeapFree	0x4562a0
HeapCreate	0x4562a4
CreateEventA	0x4562a8
GetLocalTime	0x4562ac
CreateThread	0x4562b0
SetEvent	0x4562b4
CreateEventW	0x4562b8
WaitForSingleObject	0x4562bc
Sleep	0x4562c0
GetModuleFileNameW	0x4562c4
CloseHandle	0x4562c8
ExitThread	0x4562cc
CreateFileW	0x4562d0
WriteFile	0x4562d4
lstrcpynA	0x4562d8
TlsAlloc	0x4562dc
InitializeCriticalSectionAndSpinCount	0x4562e0
MultiByteToWideChar	0x4562e4
DecodePointer	0x4562e8
EncodePointer	0x4562ec
WideCharToMultiByte	0x4562f0
InitializeSListHead	0x4562f4
GetSystemTimeAsFileTime	0x4562f8
GetCurrentThreadId	0x4562fc
IsProcessorFeaturePresent	0x456300
GetStartupInfoW	0x456304
SetUnhandledExceptionFilter	0x456308
UnhandledExceptionFilter	0x45630c
IsDebuggerPresent	0x456310
GetModuleHandleW	0x456314
WaitForSingleObjectEx	0x456318
ResetEvent	0x45631c
SetEndOfFile	0x456320

Function	Address	Souspicious	Anti Debug
CryptAcquireContextA	0x456000
CryptGenRandom	0x456004
CryptReleaseContext	0x456008
GetUserNameW	0x45600c
RegEnumKeyExA	0x456010
QueryServiceStatus	0x456014
CloseServiceHandle	0x456018
OpenSCManagerW	0x45601c
OpenSCManagerA	0x456020
ControlService	0x456024
StartServiceW	0x456028
QueryServiceConfigW	0x45602c
ChangeServiceConfigW	0x456030
OpenServiceW	0x456034
EnumServicesStatusW	0x456038
AdjustTokenPrivileges	0x45603c
LookupPrivilegeValueA	0x456040
OpenProcessToken	0x456044
RegCreateKeyA	0x456048
RegCloseKey	0x45604c
RegQueryInfoKeyW	0x456050
RegQueryValueExA	0x456054
RegCreateKeyExW	0x456058
RegEnumKeyExW	0x45605c
RegSetValueExW	0x456060
RegSetValueExA	0x456064
RegOpenKeyExA	0x456068
RegOpenKeyExW	0x45606c
RegCreateKeyW	0x456070
RegDeleteValueW	0x456074
RegEnumValueW	0x456078
RegQueryValueExW	0x45607c
RegDeleteKeyA	0x456080

Function	Address	Souspicious	Anti Debug
StrToIntA	0x45633c
PathFileExistsW	0x456340
PathFileExistsA	0x456344

Function	Address	Souspicious	Anti Debug
WSAGetLastError	0x45643c
recv	0x456440
connect	0x456444
socket	0x456448
send	0x45644c
WSAStartup	0x456450
closesocket	0x456454
inet_ntoa	0x456458
htonl	0x45645c
getservbyname	0x456460
ntohs	0x456464
getservbyport	0x456468
gethostbyaddr	0x45646c
inet_addr	0x456470
WSASetLastError	0x456474
gethostbyname	0x456478
htons	0x45647c

Function	Address	Souspicious	Anti Debug
mouse_event	0x45634c
TranslateMessage	0x456350
DispatchMessageA	0x456354
GetMessageA	0x456358
GetWindowTextW	0x45635c
wsprintfW	0x456360
GetClipboardData	0x456364
UnhookWindowsHookEx	0x456368
GetForegroundWindow	0x45636c
ToUnicodeEx	0x456370
GetKeyboardLayout	0x456374
SetWindowsHookExA	0x456378
CloseClipboard	0x45637c
OpenClipboard	0x456380
GetKeyboardState	0x456384
CallNextHookEx	0x456388
GetKeyboardLayoutNameA	0x45638c
GetKeyState	0x456390
GetWindowTextLengthW	0x456394
GetWindowThreadProcessId	0x456398
SetForegroundWindow	0x45639c
SetClipboardData	0x4563a0
EnumWindows	0x4563a4
ExitWindowsEx	0x4563a8
GetSystemMetrics	0x4563ac
GetIconInfo	0x4563b0
SystemParametersInfoW	0x4563b4
GetCursorPos	0x4563b8
RegisterClassExA	0x4563bc
DrawIcon	0x4563c0
AppendMenuA	0x4563c4
CreateWindowExA	0x4563c8
DefWindowProcA	0x4563cc
TrackPopupMenu	0x4563d0
CreatePopupMenu	0x4563d4
EnumDisplaySettingsW	0x4563d8
SendInput	0x4563dc
EmptyClipboard	0x4563e0
ShowWindow	0x4563e4
SetWindowTextW	0x4563e8
MessageBoxW	0x4563ec
IsWindowVisible	0x4563f0
CloseWindow	0x4563f4

Name	Latest seen	MD5
vhad.exe	2022-12-09 18:44:02	ec8e41469c87d52dc8238ba282f613b6