» rundll32.exe
Overview
Analysis
File Details
Behaviors (1)
Network (6)

rundll32.exe

The executable rundll32.exe has been detected as malware by 12 anti-virus scanners. While running, it connects to the Internet address box361.bluehost.com on port 80 using the HTTP protocol.

File name:

rundll32.exe

MD5:

033a4b5921f398ad96884df8049c992c

SHA-1:

337cb3e3829441e2c8d51f086938ba6738fae07c

SHA-256:

09caefa0241073e50ce4cbeb5dba79600b03cfcf777fc83357a0e11c150d18a0

Scanner detections:

12 / 68

Status:

Malware

Analysis date:

4/28/2024 11:26:21 AM UTC (today)

Scan engine

Detection

Engine version

avast!

Win32:SaliCode

150717-0

AVG

Win32/Sality

2015.0.4355

Dr.Web

Win32.Sector.30

9.0.1.05190

Emsisoft Anti-Malware

Win32.Sality

11.5.0.6191

ESET NOD32

Win32/Sality.NBA virus

8.0.319.0

F-Prot

W32/Sality.gen2

4.6.5.141

F-Secure

Win32.Sality.3

5.15.96

Kaspersky

Trojan-Spy.Win32.AutoIt

15.0.0.562

McAfee

Trojan.Generic.tj

18.0.204.0

Microsoft Security Essentials

Threat.Undefined

1.217.1541.0

Norman

Win32.Sality.3

10.04.2016 15:29:17

VIPRE Antivirus

Threat.4721115

48238

File size:

732.5 KB (750,087 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\roaming\microsoft\office\rundll32.exe

File PE Metadata

Compilation timestamp:

1/18/2011 8:14:33 PM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

12288:GTyjXW+48qWywrU4kGFezOAVuJ5PIZww7F5DO3HYffWzFX:cIXW/8yw1ez54lIBF5SXYHMX

Entry address:

0x7ADD4

Entry point:

86, EB, 68, 81, 8E, F3, 00, 53, 18, E6, F2, 34, 74, EB, 05, B3, C5, 0F, AF, EF, 89, EA, FE, C2, 85, E9, E8, 00, 00, 00, 00, 2A, DA, 3C, A5, 85, C9, 11, C5, FE, C8, F7, C6, 89, 98, E3, 08, 30, E9, 40, 8B, DE, 69, C1, B1, DE, EA, CA, FF, C9, 8A, E2, 53, 0F, BE, C8, 5A, 75, 08, 85, C3, 0F, AF, CF, 0F, AF, EA, 3B, C0, 75, 02, 32, EF, 8B, FA, 81, FD, 74, 5F, 00, 00, 73, 02, 34, 9E, F6, C5, E9, 84, DF, 2B, F7, 38, F5, 86, CF, 8D, 05, FB, F3, E3, 1D, 58, 81, F2, AE, FD, E8, F1, 0B, F5, 8A, C8, EB, 02, 89, D5, 81... 
[+]

Entropy:

6.8420

Code size:

556.5 KB (569,856 bytes)

Windows Firewall Allowed Program

Name:

rundll32.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to server.WebsByAmy.com (98.142.100.146:80)

TCP (HTTP):

Connects to box383.bluehost.com (69.89.31.183:80)

TCP (HTTP):

Connects to box361.bluehost.com (69.89.31.161:80)

TCP (HTTP):

Connects to 217-160-0-4.elastic-ssl.ui-r.com (217.160.0.4:80)

TCP (HTTP):

Connects to 217-160-0-39.elastic-ssl.ui-r.com (217.160.0.39:80)

TCP (HTTP):

Connects to 199-255-210-165.anchorfree.com (199.255.210.165:80)

Remove rundll32.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.