{
	"id": "ff645ddb-d3c0-4912-bbec-914945bd7890",
	"created_at": "2026-04-06T00:09:00.220033Z",
	"updated_at": "2026-04-10T03:20:31.950512Z",
	"deleted_at": null,
	"sha1_hash": "b04658ece8f9a4e1cbcb4b6acd46c97079380d4a",
	"title": "https://www.malvuln.com/advisory/7d7ee58c2696794b3be958b165eb61a9.txt",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 37524,
	"plain_text": "https://www.malvuln.com/advisory/7d7ee58c2696794b3be958b165eb61a9.txt\r\nArchived: 2026-04-05 17:15:09 UTC\r\nDiscovery / credits: Malvuln - malvuln.com (c) 2022\r\nOriginal source: https://malvuln.com/advisory/7d7ee58c2696794b3be958b165eb61a9.txt\r\nContact: malvuln13@gmail.com\r\nMedia: twitter.com/malvuln\r\nThreat: REvil Ransom\r\nVulnerability: Code Execution\r\nDescription: REvil looks for and executes DLLs in its current directory. Therefore, we can potentially hijack\r\nFamily: REvil\r\nType: PE32\r\nMD5: 7d7ee58c2696794b3be958b165eb61a9\r\nVuln ID: MVID-2022-0577\r\nDisclosure: 05/03/2022\r\nVideo PoC URL: https://www.youtube.com/watch?v=WnDxcYzfbUQ\r\nExploit/PoC:\r\n1) Compile the following C code as \"CLDAPI.dll\"\r\n2) Place the DLL in same directory as the ransomware\r\n3) Optional - Hide it: attrib +s +h \"CLDAPI.dll\"\r\n4) Run Conti\r\n#include \"windows.h\"\r\n#include \"stdio.h\"\r\n//By malvuln\r\n//Purpose: Code Execution\r\n//Target: REvi Ransomware\r\n//MD5: 7d7ee58c2696794b3be958b165eb61a9\r\n/** DISCLAIMER:\r\nAuthor is NOT responsible for any damages whatsoever by using this software or improper malware\r\nhandling. By using this code you assume and accept all risk implied or otherwise.\r\n**/\r\n//gcc -c CLDAPI.c -m32\r\n//gcc -shared -o CLDAPI.dll CLDAPI.o -m32\r\nBOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){\r\n switch (reason) {\r\n case DLL_PROCESS_ATTACH:\r\n MessageBox(NULL, \"Code Exec\", \"by malvuln\", MB_OK);\r\n TCHAR buf[MAX_PATH];\r\n GetCurrentDirectory(MAX_PATH, TEXT(buf));\r\n int rc = strcmp(\"C:\\\\Windows\\\\System32\", TEXT(buf));\r\n if(rc != 0){\r\n HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid());\r\nhttps://www.malvuln.com/advisory/7d7ee58c2696794b3be958b165eb61a9.txt\r\nPage 1 of 2\n\nif (NULL != handle) {\r\n TerminateProcess(handle, 0);\r\n CloseHandle(handle);\r\n }\r\n }\r\n break;\r\n }\r\n return TRUE;\r\n}\r\nDisclaimer: The information contained within this advisory is supplied \"as-is\" with no warranties or guarantee\r\nSource: https://www.malvuln.com/advisory/7d7ee58c2696794b3be958b165eb61a9.txt\r\nhttps://www.malvuln.com/advisory/7d7ee58c2696794b3be958b165eb61a9.txt\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.malvuln.com/advisory/7d7ee58c2696794b3be958b165eb61a9.txt"
	],
	"report_names": [
		"7d7ee58c2696794b3be958b165eb61a9.txt"
	],
	"threat_actors": [],
	"ts_created_at": 1775434140,
	"ts_updated_at": 1775791231,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b04658ece8f9a4e1cbcb4b6acd46c97079380d4a.pdf",
		"text": "https://archive.orkl.eu/b04658ece8f9a4e1cbcb4b6acd46c97079380d4a.txt",
		"img": "https://archive.orkl.eu/b04658ece8f9a4e1cbcb4b6acd46c97079380d4a.jpg"
	}
}