rundll32.exe

The executable rundll32.exe has been detected as malware by 6 anti-virus scanners. While running, it connects to the Internet address ns368209.ip-94-23-31.eu on port 9631.
MD5:
d18c52e9c354cfd6f2dca2e169be4559

SHA-1:
fe3b0db71631e64a71983ac5d5d5b6d30b1c4c42

SHA-256:
55160723ec109807ef112ba7bf44379620f3bfde3355d3d1cf9ba22f125d097c

Scanner detections:
6 / 68

Status:
Malware

Analysis date:
12/27/2024 6:51:25 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Trojan.DownLoader18.14138
9.0.1.05190

ESET NOD32
Win32/Injector.COOR trojan
7.0.302.0

F-Secure
Trojan:W32/Gen5921.fe3b0db716!Online
5.15.21

Kaspersky
Trojan.Win32.Fsysna
15.0.0.562

Qihoo 360 Security
HEUR/QVM07.1.Malware.Gen
1.0.0.1077

Rising Antivirus
PE:Malware.RDM.35!5.29 [F]
23.00.65.151216

File size:
173.5 KB (177,666 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\rundll32.exe

File PE Metadata
Compilation timestamp:
12/3/2015 1:36:41 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
5.0

CTPH (ssdeep):
3072:vJjpI9ReUx80CVrKvIi5CGvbvpm8+iW5wVcMZfe7u9rj:vJofiJiYubvpm8+iWQJfDRj

Entry address:
0xB0B2

Entry point:
55, 8B, EC, 6A, FF, 68, 30, E5, 40, 00, 68, 8C, B4, 40, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, 20, 58, 41, 00, 59, 83, 0D, 38, 46, 41, 00, FF, 83, 0D, 48, 46, 41, 00, FF, FF, 15, 24, 58, 41, 00, 8B, 0D, 24, 46, 41, 00, 89, 08, FF, 15, 28, 58, 41, 00, 8B, 0D, 20, 46, 41, 00, 89, 08, A1, 2C, 58, 41, 00, 8B, 00, A3, 2C, 46, 41, 00, E8, 58, 03, 00, 00, 39, 1D, E0, 43, 41, 00, 75, 0C, 68, 76, B4, 40, 00, FF, 15, 30, 58...
 
[+]

Entropy:
6.6034

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
52 KB (53,248 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to loft11332.dedicatedpanel.com  (85.25.237.52:9631)

TCP:
Connects to loft10278.dedicatedpanel.com  (85.25.74.88:9027)

TCP:
Connects to loft11230.dedicatedpanel.com  (188.138.102.50:9997)

TCP:
Connects to loft12007.serverprofi24.eu  (85.25.237.240:9997)

TCP:
Connects to loft11246.serverprofi24.com  (188.138.102.74:9997)

TCP:
Connects to windows.myint85.net  (185.48.56.84:9997)

TCP (SMTP):
Connects to vcs-star-s-myc.mail.vip.sg3.yahoo.com  (106.10.150.156:25)

TCP:
Connects to loft12100.dedicatedpanel.com  (85.93.93.92:9631)

TCP:
Connects to loft11030.dedicatedpanel.com  (188.138.57.44:9997)

TCP:
Connects to ns302526.ip-94-23-196.eu  (94.23.196.156:9997)

TCP:
Connects to loft9199.serverprofi24.eu  (188.138.41.30:9631)

TCP:
Connects to loft12027.dedicatedpanel.com  (85.93.93.9:9997)

TCP:
Connects to a2.89.b6.static.xlhost.com  (207.182.137.162:9631)

TCP:
Connects to loft12155.serverprofi24.eu  (85.93.93.147:9997)

TCP:
Connects to loft12137.serverprofi24.eu  (85.93.93.129:9997)

TCP:
Connects to loft12056.dedicatedpanel.com  (85.93.93.50:9631)

TCP:
Connects to kvm1.schlumbergerlimited.ch  (188.138.102.48:9997)

TCP:
Connects to mail.yarilla.com  (85.25.217.200:9631)

TCP:
Connects to loft24030.serverprofi24.com  (62.138.14.33:9631)

TCP:
Connects to loft11225.dedicatedpanel.com  (188.138.102.45:9997)

Remove rundll32.exe - Powered by Reason Core Security