CustomShellHost[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

CustomShellHost.exe
Size

1.2MB
MD5

f0a4bbcba8a673cbd8ff69281e8cab05
SHA1

e9ea302d51b3b194dbd69f5b821437ed3a23062b
SHA256

11c2bf126546b5f0a42cb34dd3f02263b6504dde2033ad3f037f9b30c10f8460
SHA512

3ebc15b22d0dd6beb19212f70c5099947e7be0ea33940b1c7944b8c85df28bb508a6738a07f6eb1f4b6d8f8dfdf8917b153d839f1b478a715d5a2b5d761ed29c
SSDEEP

24576:9uLkClkp3JHorp8P3CbVRqtaEsJavAc4QFr6WsGqRdCxYRINTXYXD+K3kLBFweDh:8LkClkp+p8P3CmtdsJavAAlqTdaXkJ3S

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
CustomShellHost.exe

Files

CustomShellHost.exe
.exe windows:10 windows x64 arch:x64

6fdba23a6d701db38b3cc15a5bec69ef

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

GetTokenInformation
EventUnregister
RegGetValueW
EventSetInformation
EventRegister
EventWriteTransfer
QueryServiceStatus
EventWrite
EventEnabled
GetSecurityDescriptorDacl
ConvertSecurityDescriptorToStringSecurityDescriptorW
CloseServiceHandle
NotifyServiceStatusChangeW
QueryServiceConfigW
OpenServiceW
OpenSCManagerW
TraceMessage
SetNamedSecurityInfoW
SetEntriesInAclW
RegDeleteKeyExW
AddAce
InitializeAcl
SetSecurityInfo
DeleteAce
GetAce
GetAclInformation
GetSecurityInfo
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegEnumValueW
RegSetValueExW
RegQueryValueExW
RegCreateKeyExW
RegEnumKeyExW
RegDeleteValueW
EqualSid
GetNamedSecurityInfoW
LsaLookupNames2
LsaClose
LsaFreeMemory
LsaOpenPolicy
CheckTokenMembership
DuplicateToken
EventActivityIdControl
IsValidSid
GetLengthSid
CopySid
OpenThreadToken
OpenProcessToken
CreateWellKnownSid
ConvertSidToStringSidW
RegOpenKeyExW
RegQueryInfoKeyW
RegCloseKey
RegSetKeyValueW

kernel32

GetProcessHeap
GetCurrentProcessId
DeleteCriticalSection
AcquireSRWLockShared
LocalFree
CreateProcessW
GetModuleHandleW
DebugBreak
IsDebuggerPresent
CreateMutexExW
GetProcAddress
HeapAlloc
CreateThreadpoolTimer
RaiseException
ReleaseSRWLockShared
SetThreadpoolTimer
CloseHandle
OpenSemaphoreW
WaitForSingleObjectEx
AcquireSRWLockExclusive
InitOnceComplete
CloseThreadpoolTimer
OutputDebugStringW
ReleaseSRWLockExclusive
GetLastError
FormatMessageW
Sleep
ReleaseMutex
GetCurrentThreadId
LocalAlloc
WaitForSingleObject
WaitForThreadpoolTimerCallbacks
InitializeCriticalSectionEx
LeaveCriticalSection
K32GetModuleFileNameExW
GetModuleFileNameW
GetModuleHandleExW
ReleaseSemaphore
EnterCriticalSection
SetLastError
SetPriorityClass
CreateEventExW
SetProcessShutdownParameters
SetErrorMode
CreateEventW
SetEvent
RegisterApplicationRestart
TzSpecificLocalTimeToSystemTime
FileTimeToSystemTime
FileTimeToLocalFileTime
SystemTimeToFileTime
SystemTimeToTzSpecificLocalTime
GetTickCount
GetTimeZoneInformationForYear
HeapFree
CreateSemaphoreExW
GetModuleFileNameA
TrySubmitThreadpoolCallback
GetModuleHandleExA
GetProcessMitigationPolicy
FindResourceExW
LoadResource
WaitForMultipleObjectsEx
OpenEventW
GetCurrentThread
LoadLibraryExW
GetPackagesByPackageFamily
OpenStateExplicit
CloseState
CreateMutexW
InterlockedPushEntrySList
FreeLibrary
LoadLibraryW
PowerCreateRequest
PowerSetRequest
CompareStringOrdinal
CreateFileW
WideCharToMultiByte
FindStringOrdinal
DeleteFileW
GetFileAttributesW
GetTickCount64
OpenProcess
LocalReAlloc
MultiByteToWideChar
InitializeCriticalSection
SizeofResource
CreateThread
lstrcmpiW
InitOnceBeginInitialize
GetSystemAppDataKey
DelayLoadFailureHook
ResolveDelayLoadedAPI
AssignProcessToJobObject
CreateJobObjectW
SetInformationJobObject
CreateIoCompletionPort
GetQueuedCompletionStatus
DeviceIoControl
GetNativeSystemInfo
GetSystemDirectoryW
GetVersionExW
ProcessIdToSessionId
ResetEvent
UnmapViewOfFile
GetProcessId
CreateFileMappingW
InitOnceExecuteOnce
GetUserDefaultGeoName
GetExitCodeProcess
SleepEx
ResumeThread
SetThreadPriorityBoost
SetThreadPriority
CopyFileW
WriteFile
FindPackagesByPackageFamily
GetCommandLineW
GetEnvironmentVariableW
SetEnvironmentVariableW
GetGeoInfoW
CompareFileTime
GetWindowsDirectoryW
CompareStringW
ExpandEnvironmentStringsW
InitializeSRWLock
VerifyVersionInfoW
VerSetConditionMask
GetSystemTime
GetProductInfo
OpenFileMappingW
MapViewOfFile
OOBEComplete

msvcp_win

??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
_Cnd_do_broadcast_at_thread_exit
?__ExceptionPtrCopyException@@YAXPEAXPEBX1@Z
?__ExceptionPtrAssign@@YAXPEAXPEBX@Z
_Thrd_detach
_Thrd_yield
?__ExceptionPtrCreate@@YAXPEAX@Z
?__ExceptionPtrCurrentException@@YAXPEAX@Z
?__ExceptionPtrRethrow@@YAXPEBX@Z
?_ReportUnobservedException@details@Concurrency@@YAXXZ
?__ExceptionPtrDestroy@@YAXPEAX@Z
?__ExceptionPtrCopy@@YAXPEAXPEBX@Z
?_Throw_Cpp_error@std@@YAXH@Z
_Cnd_wait
_Mtx_unlock
_Mtx_lock
?_Throw_C_error@std@@YAXH@Z
?_Xinvalid_argument@std@@YAXPEBD@Z
?_Xlength_error@std@@YAXPEBD@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Xout_of_range@std@@YAXPEBD@Z

api-ms-win-crt-runtime-l1-1-0

_register_thread_local_exe_atexit_callback
_initterm
_initterm_e
_c_exit

api-ms-win-crt-private-l1-1-0

_o__recalloc
_o__register_onexit_function
_o__seh_filter_exe
_o__set_app_type
_o__set_errno
_o__set_fmode
_o__set_new_mode
_o__wcsicmp
_o_abort
_o_exit
_o_free
_o_iswspace
_o_lround
_o_malloc
_o_realloc
_o_terminate
_o_wcscat_s
_o_wcscpy_s
_o_wcsncpy_s
_o_wcstoll
__C_specific_handler
__CxxFrameHandler3
__current_exception
__current_exception_context
_CxxThrowException
_o__invalid_parameter_noinfo_noreturn
_o__invalid_parameter_noinfo
_o__initialize_wide_environment
_o__initialize_onexit_table
_o__get_wide_winmain_command_line
_o__get_errno
_o__exit
_o__errno
wcschr
_o__crt_atexit
_o__configure_wide_argv
_o__configthreadlocale
_o__itow_s
_o__itoa_s
_o__purecall
_o__cexit
_o__callnewh
_o__beginthreadex
_o___stdio_common_vswprintf
_o___stdio_common_vsnwprintf_s
_o___stdio_common_vsnprintf_s
_o___std_exception_destroy
_o___std_exception_copy
_o___p__commode
wcsrchr
__std_terminate
wcsstr
__CxxFrameHandler4
__C_specific_handler_noexcept
memcmp
memcpy
memmove

api-ms-win-crt-string-l1-1-0

wcscmp
memset
strncmp
wcscspn

api-ms-win-core-com-l1-1-0

CoSetProxyBlanket
CLSIDFromString
StringFromIID
CoGetApartmentType
CoWaitForMultipleHandles
CoRegisterClassObject
CoGetMalloc
StringFromGUID2
PropVariantClear
CoRevokeClassObject
CoTaskMemRealloc
CoInitializeEx
CoTaskMemFree
CoCreateInstance
CoUninitialize
CoTaskMemAlloc
CoGetObjectContext

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateString
WindowsPreallocateStringBuffer
WindowsPromoteStringBuffer
WindowsDeleteStringBuffer
WindowsDeleteString
WindowsGetStringRawBuffer
WindowsCompareStringOrdinal
WindowsCreateStringReference
WindowsSubstringWithSpecifiedLength
WindowsDuplicateString

oleaut32

VariantInit
SysAllocString
SysFreeString
SystemTimeToVariantTime
VariantTimeToSystemTime
SysStringLen
VarUI4FromStr
VariantClear
GetErrorInfo
SetErrorInfo

api-ms-win-core-winrt-l1-1-0

RoInitialize
RoUninitialize
RoActivateInstance
RoGetActivationFactory

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetUnhandledExceptionFilter

api-ms-win-core-processthreads-l1-1-0

GetStartupInfoW
GetCurrentProcess
TerminateProcess

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

shcore

SHDeleteValueW
SHUnicodeToAnsi
SHSetValueW
SHGetValueW
SHDeleteKeyW
IsOS
SHRegGetValueW
ord191
SHTaskPoolQueueTask
SetCurrentProcessExplicitAppUserModelID
SHQueryInfoKeyW
ord190
ord184
ord186
SHSetThreadRef
SHCreateThreadRef
SHGetThreadRef
IUnknown_Set
IUnknown_QueryService
IUnknown_SetSite

propsys

PropVariantToUInt32
PSPropertyBag_WriteInt
PropVariantToStringAlloc
InitVariantFromBuffer
PSCreateMemoryPropertyStore
PSPropertyBag_WriteDWORD
PSPropertyBag_ReadDWORD

ntdll

NtPowerInformation
RtlInitUnicodeString
RtlNtStatusToDosError
RtlPublishWnfStateData
RtlQueryUnbiasedInterruptTime
NtQuerySystemInformation
NtQueryInformationProcess
RtlGetNtSystemRoot
NtSetThreadExecutionState
NtOpenKey
RtlRunOnceExecuteOnce
NtDeviceIoControlFile
NtClose
RtlGetSuiteMask
NtCreateFile
NtQueryValueKey
RtlReleaseSRWLockShared
RtlAcquireSRWLockShared
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockExclusive
NtOpenThreadToken
NtQueryInformationToken
NtOpenProcessToken
RtlUnsubscribeWnfNotificationWaitForCompletion
NtQueryWnfStateData
RtlSubscribeWnfStateChangeNotification

ole32

OleUninitialize
CoGetStdMarshalEx
CoCreateFreeThreadedMarshaler
CoAllowSetForegroundWindow
OleInitialize
RevokeDragDrop
RoGetAgileReference
CreateBindCtx
CoGetCallContext

wtsapi32

WTSUnRegisterSessionNotification
WTSRegisterSessionNotification

shell32

ord244
ord899
ord938
SHChangeNotifyRegisterThread
ord188
ord904
ord100
SHGetKnownFolderItem
ord155
ord68
SHGetKnownFolderIDList
SHGetIDListFromObject
SHBindToObject
SHCreateItemInKnownFolder
ord172
ord680
ord723
ord885
SHEvaluateSystemCommandTemplate
SHParseDisplayName
SHBindToParent
ord152
SHGetKnownFolderPath

shlwapi

ord544
ord260
ord256
ord212
ord515
ord158
ord240
ord219
ord197
StrChrW

user32

UnhookWindowsHookEx
GetAsyncKeyState
CallNextHookEx
UnregisterClassA
PostThreadMessageW
GetProcessWindowStation
TranslateMessage
CreateWindowInBand
SetWindowsHookExW
PeekMessageW
EnableMouseInPointer
DispatchMessageW
WaitMessage
GetSystemMetrics
PostMessageW
DestroyMenu
GetMenuDefaultItem
CreatePopupMenu
IsCharAlphaNumericW
CharLowerW
UnregisterClassW
GetMessageW
LockWorkStation
CloseDesktop
GetUserObjectInformationW
GetThreadDesktop
SetWinEventHook
MonitorFromPoint
ExitWindowsEx
FindWindowW
SetRectEmpty
CharLowerBuffW
CharNextW
GetWindowThreadProcessId
UnhookWinEvent
MsgWaitForMultipleObjectsEx
SetCursor
GetPropW
EnumDisplayMonitors
GetMonitorInfoW
CopyRect
SetGestureConfig
SetFocus
TranslateAcceleratorW
GetClassNameW
PostQuitMessage
SetShellWindowEx
UpdateWindow
SetWindowPos
EnumChildWindows
SendMessageW
RemovePropW
ShowWindow
GetSysColor
SetPropW
SetShellWindow
GetClientRect
KillTimer
InvalidateRect
BeginPaint
EndPaint
GetDC
ReleaseDC
UnregisterHotKey
RegisterShellHookWindow
DeregisterShellHookWindow
SetTaskmanWindow
GetTaskmanWindow
SystemParametersInfoW
RegisterWindowMessageW
GetShellWindow
DefWindowProcW
DestroyWindow
SetWindowLongPtrW
CreateWindowExW
GetWindowLongPtrW
RegisterClassExW
IsWindow
LoadCursorW

gdi32

GetStockObject
GetDeviceCaps

sspicli

GetUserNameExW

api-ms-win-security-lsalookup-l1-1-2

LsaLookupUserAccountType

api-ms-win-core-winrt-error-l1-1-0

RoTransformError
RoOriginateError

userenv

DeriveAppContainerSidFromAppContainerName
GetProfileType

api-ms-win-core-path-l1-1-0

PathCchAppend
PathCchCombine

api-ms-win-power-base-l1-1-0

GetPwrCapabilities
CallNtPowerInformation

api-ms-win-core-synch-l1-1-0

InitializeCriticalSectionAndSpinCount

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceLoggerHandle
GetTraceEnableLevel
RegisterTraceGuidsW
UnregisterTraceGuids
GetTraceEnableFlags

api-ms-win-service-management-l1-1-0

StartServiceW

api-ms-win-core-shlwapi-legacy-l1-1-0

PathIsFileSpecW
PathQuoteSpacesW
PathFileExistsW
SHExpandEnvironmentStringsW
PathFindFileNameW
PathGetArgsW

api-ms-win-core-kernel32-legacy-l1-1-2

SetTermsrvAppInstallMode

comctl32

ord334
ord328
ord329

rpcrt4

RpcStringFreeW
RpcBindingSetAuthInfoExW
RpcBindingFromStringBindingW
RpcBindingFree
I_RpcExceptionFilter
RpcStringBindingComposeW
NdrClientCall3

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-security-lsalookup-l1-1-1

ReleaseIdentityProviderEnumContext
GetDefaultIdentityProvider
EnumerateIdentityProviders
GetIdentityProviderInfoByGUID

Exports

Exports

FileTimeToVariantTime
InitPropVariantFromFileTimeEx
InitPropVariantFromSystemTimeEx
VariantTimeToFileTime
_ConvertTimeHelper

Sections

.text
Size: 940KB - Virtual size: 938KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.imrsiv
Size: - Virtual size: 4B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 220KB - Virtual size: 216KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 32KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

6fdba23a6d701db38b3cc15a5bec69ef

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

msvcp_win

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-private-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

oleaut32

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-interlocked-l1-1-0

shcore

propsys

ntdll

ole32

wtsapi32

shell32

shlwapi

user32

gdi32

sspicli

api-ms-win-security-lsalookup-l1-1-2

api-ms-win-core-winrt-error-l1-1-0

userenv

api-ms-win-core-path-l1-1-0

api-ms-win-power-base-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-service-management-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-2

comctl32

rpcrt4

api-ms-win-core-apiquery-l1-1-0

api-ms-win-security-lsalookup-l1-1-1

Exports

Exports

Sections

.text Size: 940KB - Virtual size: 938KB

.imrsiv Size: - Virtual size: 4B

.rdata Size: 220KB - Virtual size: 216KB

.data Size: 8KB - Virtual size: 11KB

.pdata Size: 32KB - Virtual size: 28KB

.didat Size: 4KB - Virtual size: 488B

.rsrc Size: 4KB - Virtual size: 1KB

.reloc Size: 8KB - Virtual size: 5KB

.text
Size: 940KB - Virtual size: 938KB

.imrsiv
Size: - Virtual size: 4B

.rdata
Size: 220KB - Virtual size: 216KB

.data
Size: 8KB - Virtual size: 11KB

.pdata
Size: 32KB - Virtual size: 28KB

.didat
Size: 4KB - Virtual size: 488B

.rsrc
Size: 4KB - Virtual size: 1KB

.reloc
Size: 8KB - Virtual size: 5KB