CustomShellHost[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

CustomShellHost.exe
Size

906KB
MD5

03794b741cf71ecfa2632d7ff547f97a
SHA1

377611bde6185a92d0d587bbd9d2759311bb3545
SHA256

aa56a47a4a4e56e2906ac4ab4b11f4cd80c1dfd47a1e62f6f002efb478238e58
SHA512

ff4f55b7a33b422da58f7f20f4d3718e4224efde34d4e0095cb0b6a2052c1d82901c2e1f6ada4a85ae92cadda27830a0feac69e18c22a1086d540860191fd48d
SSDEEP

24576:v3RMrF5pX1tWMpjzdRJNREhXllLFdG0CJo8qrY6Nwzh:vyrDtWizNREhXlNG0C286Czh

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
CustomShellHost.exe

Files

CustomShellHost.exe
.exe windows x64

6b40f3a72b19919cc6b088c8ba8ac659

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

GetTokenInformation
RegGetValueW
EventUnregister
EventSetInformation
EventRegister
EventWriteTransfer
IsValidSid
GetLengthSid
CopySid
OpenThreadToken
OpenProcessToken
ConvertSidToStringSidW
RegOpenKeyExW
RegQueryInfoKeyW
RegCloseKey
RegSetKeyValueW
GetNamedSecurityInfoW
EqualSid
RegDeleteValueW
RegEnumKeyExW
RegCreateKeyExW
RegQueryValueExW
RegSetValueExW
RegEnumValueW
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegDeleteKeyValueW
GetSecurityInfo
GetAclInformation
GetAce
DeleteAce
SetSecurityInfo
InitializeAcl
AddAce
RegDeleteKeyExW
SetEntriesInAclW
SetNamedSecurityInfoW
TraceMessage
OpenSCManagerW
OpenServiceW
QueryServiceConfigW
NotifyServiceStatusChangeW
CloseServiceHandle
EventEnabled
EventWrite
QueryServiceStatus
EventActivityIdControl
EventProviderEnabled
CreateWellKnownSid
LsaLookupNames2
LsaClose
LsaFreeMemory
LsaOpenPolicy
CheckTokenMembership
DuplicateToken

kernel32

GetPackagesByPackageFamily
GetSystemAppDataKey
CloseState
OpenStateExplicit
CreateMutexW
ResolveDelayLoadedAPI
DelayLoadFailureHook
GetProcessMitigationPolicy
InitOnceExecuteOnce
WideCharToMultiByte
CreateJobObjectW
SetInformationJobObject
CreateIoCompletionPort
GetQueuedCompletionStatus
OpenProcess
ResetEvent
ExpandEnvironmentStringsW
GetProcessId
ProcessIdToSessionId
WaitForMultipleObjects
GetUserDefaultGeoName
GetExitCodeProcess
SleepEx
ResumeThread
SetThreadPriorityBoost
SetThreadPriority
CopyFileW
WriteFile
GetCommandLineW
VerifyVersionInfoW
VerSetConditionMask
InitializeSRWLock
GetFileAttributesW
GetLocaleInfoW
GetThreadUILanguage
GetWindowsDirectoryW
GetSystemDirectoryW
CompareFileTime
GetSystemTime
GetVersionExW
GetProductInfo
CreateThread
SizeofResource
InitializeCriticalSection
MultiByteToWideChar
LocalReAlloc
GetTickCount64
lstrcmpiW
DeleteFileW
FindStringOrdinal
CreateFileW
CompareStringOrdinal
PowerSetRequest
PowerCreateRequest
LoadLibraryW
FreeLibrary
LoadLibraryExW
GetCurrentThread
OpenEventW
WaitForMultipleObjectsEx
LoadResource
FindResourceExW
GetTimeZoneInformationForYear
GetTickCount
SystemTimeToTzSpecificLocalTime
SystemTimeToFileTime
FileTimeToLocalFileTime
FileTimeToSystemTime
TzSpecificLocalTimeToSystemTime
RegisterApplicationRestart
InitOnceComplete
SetEvent
CreateEventW
SetErrorMode
SetProcessShutdownParameters
CreateEventExW
SetPriorityClass
InitOnceBeginInitialize
IsDebuggerPresent
DebugBreak
GetModuleHandleW
CreateProcessW
GetProcessHeap
GetCurrentProcessId
DeleteCriticalSection
AcquireSRWLockShared
LocalFree
CreateMutexExW
GetProcAddress
HeapAlloc
CreateThreadpoolTimer
RaiseException
ReleaseSRWLockShared
SetThreadpoolTimer
CloseHandle
OpenSemaphoreW
WaitForSingleObjectEx
AcquireSRWLockExclusive
CloseThreadpoolTimer
OutputDebugStringW
ReleaseSRWLockExclusive
GetLastError
FormatMessageW
Sleep
ReleaseMutex
GetCurrentThreadId
LocalAlloc
WaitForSingleObject
WaitForThreadpoolTimerCallbacks
InitializeCriticalSectionEx
LeaveCriticalSection
GetModuleFileNameW
GetModuleHandleExW
ReleaseSemaphore
EnterCriticalSection
SetLastError
HeapFree
CreateSemaphoreExW
GetModuleFileNameA
AssignProcessToJobObject
FindPackagesByPackageFamily

msvcp_win

?_Xlength_error@std@@YAXPEBD@Z

api-ms-win-crt-runtime-l1-1-0

_initterm_e
_c_exit
_register_thread_local_exe_atexit_callback
_initterm

api-ms-win-crt-private-l1-1-0

_o__seh_filter_exe
_o__set_app_type
_o__set_errno
_o__set_fmode
_o__set_new_mode
_o__wcsicmp
_o__wcsnicmp
_o__wtoi
_o_exit
_o_free
_o_iswalnum
_o_iswspace
_o_malloc
_o_terminate
_o_toupper
_o_wcscat_s
_o_wcscpy_s
_o_wcsncpy_s
__C_specific_handler
__CxxFrameHandler3
_CxxThrowException
_o__purecall
_o__exit
_o__errno
_o__crt_atexit
_o__configure_wide_argv
_o__configthreadlocale
_o__cexit
_o__callnewh
_o__register_onexit_function
_o__recalloc
_o__itow_s
_o__invalid_parameter_noinfo_noreturn
_o__invalid_parameter_noinfo
_o__initialize_wide_environment
_o__initialize_onexit_table
wcschr
_o___stdio_common_vswscanf
_o___stdio_common_vswprintf
_o___stdio_common_vsnwprintf_s
_o___stdio_common_vsnprintf_s
_o___std_exception_destroy
_o___std_exception_copy
_o___p__commode
_o__get_wide_winmain_command_line
_o__get_errno
wcsrchr
__std_terminate
wcsstr
__CxxFrameHandler4
memcmp
memcpy
memmove

api-ms-win-crt-string-l1-1-0

memset
wcscmp
wcscspn

api-ms-win-core-com-l1-1-0

CoTaskMemRealloc
CoRegisterClassObject
PropVariantClear
CoGetMalloc
CoTaskMemAlloc
StringFromIID
CoSetProxyBlanket
CoGetApartmentType
CoWaitForMultipleHandles
CoRevokeClassObject
CoInitializeEx
CoTaskMemFree
CoCreateInstance
CoUninitialize
CLSIDFromString

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateString
WindowsDeleteString
WindowsGetStringRawBuffer
WindowsDuplicateString
WindowsCreateStringReference
WindowsSubstringWithSpecifiedLength

oleaut32

VariantClear
SysAllocString
SystemTimeToVariantTime
VariantInit
VarUI4FromStr
SysFreeString
SysStringLen
VariantTimeToSystemTime

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory
RoInitialize
RoUninitialize
RoActivateInstance

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetUnhandledExceptionFilter

api-ms-win-core-processthreads-l1-1-0

GetStartupInfoW
GetCurrentProcess
TerminateProcess

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

shcore

ord190
ord162
SHTaskPoolQueueTask
SHQueryInfoKeyW
IsOS
SHRegGetValueW
SHDeleteValueW
SHSetValueW
SHGetValueW
SetCurrentProcessExplicitAppUserModelID
ord184
ord186
SHSetThreadRef
SHCreateThreadRef
SHGetThreadRef
IUnknown_Set
IsProcessInWDAGContainer
ord123
SHStrDupW
IUnknown_SetSite
SHUnicodeToAnsi
IUnknown_QueryService

propsys

PSCreateMemoryPropertyStore
PSPropertyBag_WriteDWORD
PSPropertyBag_WriteInt
PSPropertyBag_ReadDWORD
PropVariantToStringAlloc
PropVariantToUInt32
InitVariantFromBuffer

ntdll

NtQueryInformationProcess
WinSqmAddToStreamEx
WinSqmIsOptedIn
RtlPublishWnfStateData
WinSqmSetDWORD
RtlInitUnicodeString
RtlNtStatusToDosError
NtSetThreadExecutionState
NtDeviceIoControlFile
NtClose
NtOpenKey
RtlGetSuiteMask
NtCreateFile
NtQueryValueKey
RtlIsStateSeparationEnabled
RtlReleaseSRWLockShared
RtlAcquireSRWLockShared
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockExclusive
RtlGetNtSystemRoot
NtOpenProcessToken
NtQueryInformationToken
NtOpenThreadToken
RtlRunOnceExecuteOnce
RtlSubscribeWnfStateChangeNotification
NtQueryWnfStateData
RtlUnsubscribeWnfNotificationWaitForCompletion

ole32

OleUninitialize
CoCreateFreeThreadedMarshaler
CoAllowSetForegroundWindow
OleInitialize
RevokeDragDrop
CoGetCallContext
RoGetAgileReference
CoGetStdMarshalEx
CreateBindCtx
StringFromGUID2

wtsapi32

WTSUnRegisterSessionNotification
WTSRegisterSessionNotification

shell32

ord938
SHChangeNotifyRegisterThread
SHCreateItemInKnownFolder
SHGetKnownFolderPath
ord172
ord680
ord723
ord885
SHEvaluateSystemCommandTemplate
SHParseDisplayName
ord188
ord904
ord244
SHBindToParent
SHGetIDListFromObject
ord100
ord155
ord68
SHGetKnownFolderIDList
SHBindToObject
SHGetKnownFolderItem
ord152
ord899

shlwapi

ord197
ord219
ord515
ord158
ord240
StrStrIW
StrRChrW
ord212
StrChrW
ord544
ord256

user32

ReleaseDC
UnregisterHotKey
RegisterShellHookWindow
GetProcessWindowStation
PostThreadMessageW
DeregisterShellHookWindow
SetTaskmanWindow
GetTaskmanWindow
SystemParametersInfoW
RegisterWindowMessageW
TranslateMessage
PeekMessageW
EnableMouseInPointer
DispatchMessageW
WaitMessage
GetSystemMetrics
PostMessageW
GetDC
EndPaint
LoadCursorW
IsWindow
BeginPaint
UnregisterClassA
InvalidateRect
RegisterClassExW
KillTimer
GetClientRect
GetWindowLongPtrW
SetShellWindow
CreateWindowExW
SetPropW
GetSysColor
ShowWindow
CreateWindowInBand
RemovePropW
SendMessageW
EnumChildWindows
SetWindowPos
SetWindowsHookExW
UnhookWindowsHookEx
GetAsyncKeyState
CallNextHookEx
DefWindowProcW
SetWindowLongPtrW
GetShellWindow
DestroyWindow
UpdateWindow
DestroyMenu
GetMenuDefaultItem
CreatePopupMenu
IsCharAlphaNumericW
CharLowerW
UnregisterClassW
GetMessageW
LockWorkStation
CloseDesktop
GetUserObjectInformationW
GetThreadDesktop
SetWinEventHook
ExitWindowsEx
FindWindowW
CharLowerBuffW
CharNextW
GetWindowThreadProcessId
UnhookWinEvent
MsgWaitForMultipleObjectsEx
SetCursor
GetPropW
CopyRect
SetGestureConfig
SetFocus
TranslateAcceleratorW
GetClassNameW
PostQuitMessage
SetShellWindowEx

gdi32

GetStockObject
GetDeviceCaps

sspicli

GetUserNameExW

api-ms-win-security-lsalookup-l1-1-2

LsaLookupUserAccountType

api-ms-win-power-base-l1-1-0

PowerDeterminePlatformRoleEx
CallNtPowerInformation
GetPwrCapabilities

userenv

DeriveAppContainerSidFromAppContainerName
GetProfileType

wkscli

NetGetJoinInformation

api-ms-win-core-path-l1-1-0

PathCchAppend
PathCchCombine

netutils

NetApiBufferFree

api-ms-win-core-synch-l1-1-0

InitializeCriticalSectionAndSpinCount

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
RegisterTraceGuidsW
UnregisterTraceGuids

api-ms-win-service-management-l1-1-0

StartServiceW

api-ms-win-core-registry-l1-1-0

RegDeleteTreeW

api-ms-win-core-shlwapi-legacy-l1-1-0

PathGetArgsW
PathIsFileSpecW
SHExpandEnvironmentStringsW
PathFileExistsW
PathQuoteSpacesW
PathFindFileNameW

api-ms-win-core-kernel32-legacy-l1-1-2

SetTermsrvAppInstallMode

comctl32

ord334
ord329
ord328

rpcrt4

NdrClientCall3
RpcBindingFree
UuidFromStringW
RpcStringFreeW
RpcBindingSetAuthInfoExW
I_RpcExceptionFilter
RpcStringBindingComposeW
RpcBindingFromStringBindingW

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-security-lsalookup-l1-1-1

GetIdentityProviderInfoByGUID
ReleaseIdentityProviderEnumContext
EnumerateIdentityProviders
GetDefaultIdentityProvider

api-ms-win-core-winrt-error-l1-1-0

SetRestrictedErrorInfo
RoOriginateError
GetRestrictedErrorInfo

api-ms-win-core-sysinfo-l1-2-0

GetOsSafeBootMode

api-ms-win-core-winrt-error-l1-1-1

RoOriginateLanguageException

Exports

Exports

FileTimeToVariantTime
InitPropVariantFromFileTimeEx
InitPropVariantFromSystemTimeEx
VariantTimeToFileTime
_ConvertTimeHelper

Sections

.text
Size: 691KB - Virtual size: 691KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.imrsiv
Size: - Virtual size: 4B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 180KB - Virtual size: 179KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 21KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1024B - Virtual size: 520B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

6b40f3a72b19919cc6b088c8ba8ac659

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

msvcp_win

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-private-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

oleaut32

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-interlocked-l1-1-0

shcore

propsys

ntdll

ole32

wtsapi32

shell32

shlwapi

user32

gdi32

sspicli

api-ms-win-security-lsalookup-l1-1-2

api-ms-win-power-base-l1-1-0

userenv

wkscli

api-ms-win-core-path-l1-1-0

netutils

api-ms-win-core-synch-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-service-management-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-2

comctl32

rpcrt4

api-ms-win-core-apiquery-l1-1-0

api-ms-win-security-lsalookup-l1-1-1

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-core-winrt-error-l1-1-1

Exports

Exports

Sections

.text Size: 691KB - Virtual size: 691KB

.imrsiv Size: - Virtual size: 4B

.rdata Size: 180KB - Virtual size: 179KB

.data Size: 5KB - Virtual size: 10KB

.pdata Size: 21KB - Virtual size: 20KB

.didat Size: 1024B - Virtual size: 520B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 4KB - Virtual size: 4KB

.text
Size: 691KB - Virtual size: 691KB

.imrsiv
Size: - Virtual size: 4B

.rdata
Size: 180KB - Virtual size: 179KB

.data
Size: 5KB - Virtual size: 10KB

.pdata
Size: 21KB - Virtual size: 20KB

.didat
Size: 1024B - Virtual size: 520B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 4KB