home

rundl32.exe

The executable rundl32.exe has been detected as malware by 29 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Integrated Driver’. While running, it connects to the Internet address cf-190-93-243-15.cloudflare.com on port 80 using the HTTP protocol.
MD5:
14d31a29d76b2c0efd4f710dbb24b715

SHA-1:
4eb5427b3835931a019e5390d6ac718bdd72e3c2

SHA-256:
dbf78910cf59c6af72c8729f2215789dd215a54afc1fbb72be7498d5a81cd3ce

Scanner detections:
29 / 68

Status:
Malware

Analysis date:
11/27/2024 11:23:53 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Generic.8119575
843

AhnLab V3 Security
Trojan/Win32.Yakes
2014.06.05

Avira AntiVirus
TR/Agent.fpk
7.11.152.248

avast!
Win32:Crypt-OKR [Trj]
2014.9-141015

AVG
Generic30
2015.0.3321

Baidu Antivirus
Trojan.Win32.Genome
4.0.3.141015

Bitdefender
Trojan.Generic.8119575
1.0.20.1440

Bkav FE
W32.Clodb1c.Trojan
1.3.0.4959

Comodo Security
Heur.Suspicious
18434

Dr.Web
Trojan.Coinbit.13
9.0.1.0288

Emsisoft Anti-Malware
Trojan.Generic.8119575
8.14.10.15.09

ESET NOD32
Win32/CoinMiner.BJ
8.9893

Fortinet FortiGate
W32/Agent.YQV!tr
10/15/2014

F-Secure
Trojan.Generic.8119575
11.2014-15-10_4

G Data
Trojan.Generic.8119575
14.10.24

IKARUS anti.virus
Trojan.VB2
t3scan.1.6.1.0

K7 AntiVirus
Riskware
13.1712305

Kaspersky
Trojan.Win32.Genome
14.0.0.3098

McAfee
Artemis!14D31A29D76B
5600.6977

Microsoft Security Essentials
Trojan:Win32/Tarcloin.B
1.10600

MicroWorld eScan
Trojan.Generic.8119575
15.0.0.864

NANO AntiVirus
Trojan.Win32.Genome.bddrnw
0.28.0.60100

Norman
Troj_Generic.FOKSP
11.20141015

nProtect
Trojan.Generic.8119575
14.06.04.01

Panda Antivirus
Generic Trojan
14.10.15.09

Qihoo 360 Security
HEUR/Malware.QVM05.Gen
1.0.0.1015

Sophos
Troj/Agent-YQV
4.98

Vba32 AntiVirus
Trojan.Yakes
3.12.26.0

VIPRE Antivirus
Trojan.Win32.Meredrop
29934

File size:
5.7 MB (5,929,984 bytes)

File type:
Executable application (Win32 EXE)

Language:
Urduca (Pakistan Islam Cumhuriyeti)

Common path:
C:\users\{user}\appdata\roaming\the creative assembly\rundl32.exe

File PE Metadata
Compilation timestamp:
11/1/2012 12:30:22 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.50

CTPH (ssdeep):
24576:tw7Qe/cCRCGCXQmZALNY/uA0a+y9idgEGweD9SWPKtP26eK51EkAWl7X3ZE5WMk3:8/cUTfqRTKCmCSXLpF1L7rh5W

Entry address:
0x1000

Entry point:
68, 98, 00, 00, 00, 68, 00, 00, 00, 00, 68, 90, 1E, 41, 00, E8, A6, 60, 00, 00, 83, C4, 0C, 68, 00, 00, 00, 00, E8, 9F, 60, 00, 00, A3, 94, 1E, 41, 00, 68, 00, 00, 00, 00, 68, 00, 10, 00, 00, 68, 00, 00, 00, 00, E8, 8C, 60, 00, 00, A3, 90, 1E, 41, 00, E8, 5C, B8, 00, 00, E8, 41, B7, 00, 00, E8, 32, A4, 00, 00, E8, 47, 95, 00, 00, E8, 88, 91, 00, 00, E8, B1, 90, 00, 00, E8, FB, 83, 00, 00, E8, AF, 7B, 00, 00, E8, DD, 7A, 00, 00, E8, 53, 7A, 00, 00, E8, BB, 77, 00, 00, E8, 10, 77, 00, 00, E8, 15, 62, 00, 00...
 
[+]

Packer / compiler:
PKLITE32, 0x1.1

Code size:
47.5 KB (48,640 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Integrated Driver

Command:
C:\users\{user}\appdata\roaming\the creative assembly\rundl32.exe


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to cf-190-93-243-15.cloudflare.com  (190.93.243.15:80)

Remove rundl32.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.