home

rundll32.exe

Client

{75F8BB5A-A5BE-4EED-BD1C-7F6E55702F48}

The executable rundll32.exe has been detected as malware by 24 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘rundll32’. While running, it connects to the Internet address h-117-227.a376.priv.bahnhof.se on port 201.
Publisher:
Microsoft  (signed by {75F8BB5A-A5BE-4EED-BD1C-7F6E55702F48})

Product:
Client

Description:
rundll32

Version:
1.0.0.0

MD5:
d12c54c1adb0e5dd1b49e602fdc6b568

SHA-1:
9debb996af436004579c5acfabff5b048ee03f9a

SHA-256:
b121bbbc9e32254d03d1d4b1efe7b43abf2349f2cefbd611f3da5f1e69a22c61

Scanner detections:
24 / 68

Status:
Malware

Analysis date:
5/10/2024 11:36:32 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKD.1752372
920

AhnLab V3 Security
Trojan/Win32.Agent
2014.07.17

Avira AntiVirus
TR/Dropper.MSIL.Gen8
7.11.162.8

avast!
MSIL:GenMalicious-CI [Trj]
2014.9-140729

AVG
MSIL4
2015.0.3398

Baidu Antivirus
Trojan.MSIL.Kryptik
4.0.3.14729

Bitdefender
Trojan.GenericKD.1752372
1.0.20.1050

Emsisoft Anti-Malware
Trojan.GenericKD.1752372
8.14.07.29.08

ESET NOD32
MSIL/Kryptik.AAK (variant)
8.10108

Fortinet FortiGate
W32/Fsysna.AAK!tr
7/29/2014

F-Secure
Trojan.GenericKD.1752372
11.2014-29-07_3

G Data
Trojan.GenericKD.1752372
14.7.24

IKARUS anti.virus
Trojan.Dropper.MSIL8
t3scan.1.6.1.0

K7 AntiVirus
Trojan
13.180.12747

Kaspersky
Trojan.Win32.Fsysna
14.0.0.3486

McAfee
Artemis!D12C54C1ADB0
5600.7054

MicroWorld eScan
Trojan.GenericKD.1752372
15.0.0.630

NANO AntiVirus
Trojan.Win32.Fsysna.dcdggu
0.28.2.60881

Panda Antivirus
Trj/CI.A
14.07.29.08

Qihoo 360 Security
HEUR/Malware.QVM03.Gen
1.0.0.1015

Sophos
Mal/Generic-S
4.98

Trend Micro House Call
TROJ_SPNR.07GD14
7.2.210

Trend Micro
TROJ_SPNR.07GD14
10.465.29

VIPRE Antivirus
Trojan.Win32.Generic
31332

File size:
270 KB (276,512 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © Microsoft 2013

Original file name:
Play Rust Hack.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\roaming\system\rundll32.exe

Digital Signature
Signed by:
{75F8BB5A-A5BE-4EED-BD1C-7F6E55702F48}

Authority:
{75F8BB5A-A5BE-4EED-BD1C-7F6E55702F48}

Valid from:
5/24/2014 5:19:37 PM

Valid to:
5/24/2015 11:19:37 PM

Subject:
CN={75F8BB5A-A5BE-4EED-BD1C-7F6E55702F48}

Issuer:
CN={75F8BB5A-A5BE-4EED-BD1C-7F6E55702F48}

Serial number:
2FD9130F6ACC51874F2B6C49BE05E44D

File PE Metadata
Compilation timestamp:
7/5/2014 12:51:37 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
6144:nX5qLVDWMVUqFna2v5qssJhdvePP6JOP2O0iWNxAUzPctlE7:nXwVDtFasohjs8iu6WPIE7

Entry address:
0x44B6E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.9519

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
267 KB (273,408 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
rundll32

Command:
C:\users\{user}\appdata\roaming\system\rundll32.exe


The executing file has been seen to make the following network communication in live environments.

TCP:
Connects to h-117-227.a376.priv.bahnhof.se  (213.80.117.227:201)

Remove rundll32.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.