home

rundll32.exe

The executable rundll32.exe has been detected as malware by 3 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Microsoft Windows’.
MD5:
59569588ddb1c2900f90df825af476ea

SHA-1:
1cc3db952afaeecaf9571d0da9d6542a988195a3

SHA-256:
963f418cf74b16ae4c871ff9a5512cd10e0f5bec7021756bba9baf5b8c1f673e

Scanner detections:
3 / 68

Status:
Malware

Analysis date:
4/27/2024 2:29:25 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Sality
160917-0

Clam AntiVirus
Win.Trojan.10181624-6
0.98/23192

Kaspersky
Trojan.Win32.Agentb
15.0.2.529

File size:
736.7 KB (754,331 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\microsoft\office\rundll32.exe

File PE Metadata
Compilation timestamp:
1/18/2011 8:14:33 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

Entry address:
0x7ADD4

Entry point:
F7, C5, 55, 68, 92, 93, 81, FB, 61, 8D, 00, 00, 77, 0E, 8D, 1D, D0, FD, 32, 6A, F7, C6, 27, 6C, B5, F0, FE, CC, 77, 0C, C7, C0, 82, 10, 5E, DC, 8B, F6, 01, ED, 18, E4, 77, 02, FE, CB, 0F, C8, 3B, C8, 8B, CB, 89, DA, 3B, CF, 70, 0C, F6, C4, 86, 87, C0, 8B, DE, F6, C4, 3C, 84, F7, 47, E8, 14, 00, 00, 00, 0F, CE, 71, 02, 89, F5, 81, EF, C2, 9F, F8, FF, 29, D3, 81, EF, AA, C6, 07, 00, 5F, 81, FD, 30, F0, 00, 00, 76, 02, 87, C0, 3B, D6, 78, 01, 4E, B0, 74, 0F, BE, F0, 87, C0, 0F, C8, BE, 90, E2, 00, 00, 75, 03...
 
[+]

Entropy:
6.8200

Code size:
556.5 KB (569,856 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Microsoft Windows

Command:
C:\users\{user}\appdata\roaming\microsoft\office\rundll32.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to hostedc76.carrierzone.com  (69.49.115.40:80)

TCP (HTTP):
Connects to ec2-54-251-109-4.ap-southeast-1.compute.amazonaws.com  (54.251.109.4:80)

TCP (HTTP):
Connects to dns1.interbox.cz  (77.78.99.55:80)

TCP (HTTP):
Connects to custip-1109.sedoparking.com  (91.195.240.109:80)

TCP (HTTP):
Connects to 161maklp3.guzel.net.tr  (31.192.214.161:80)

TCP (HTTP):
Connects to win15.securedc.com  (64.8.117.67:80)

TCP (HTTP):
Connects to host176.b5.trdns.com  (77.245.148.176:80)

TCP (HTTP):
Connects to HDRedirect-LB3-890977680.us-east-1.elb.amazonaws.com  (68.168.222.206:80)

Remove rundll32.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.