WindowsTerminalShellExt[.]dll

Sharing

Copy URL

Twitter E-mail

General

Target

WindowsTerminalShellExt.dll
Size

125KB
MD5

0c2e2bcaafe3ed4dad126bf2b6a4333d
SHA1

02ca7a99a9146b9a5cb0bbc121b6ad29b4f628df
SHA256

a9e32efeb177647dcba160297bdeb8e1b2084e5d8d38a5092e200cbd587a8370
SHA512

3dcd13319f802df57ef10966ccc6018ec4d49bfbc1fde861b303150ff2554666c77aac610a755c45d941a650c0598bb342f4d589f133faacab3b008f2e88cdd3
SSDEEP

3072:M0W+L2rJoNJ0Mug1k0CdTim1j6A16E0kNparc1AfKIB72IT:M0W+L2eJLuQCdTimdNNErcqyw

Score

1^/10

Malware Config

Signatures

Files

WindowsTerminalShellExt.dll
.dll windows:6 windows x64 arch:x64

49452979ac1edeb49247d1fb3f67dff2

Code Sign

33:00:00:03:ae:2d:35:51:c8:53:8f:55:1d:00:00:00:00:03:ae
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/11/2023, 19:08

Not After

14/11/2024, 19:08

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

fa:b1:0a:b1:eb:af:3f:f4:ea:28:77:6f:ed:99:0f:67:7b:24:27:16:84:66:f7:f9:8e:fa:09:eb:b3:8f:1d:1f
Signer

Actual PE Digest

fa:b1:0a:b1:eb:af:3f:f4:ea:28:77:6f:ed:99:0f:67:7b:24:27:16:84:66:f7:f9:8e:fa:09:eb:b3:8f:1d:1f

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\__w\1\s\bin\x64\Release\WindowsTerminalShellExt\WindowsTerminalShellExt.pdb

Imports

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW
LoadLibraryExW
GetProcAddress
GetModuleFileNameW
GetModuleHandleExW
DisableThreadLibraryCalls
FreeLibrary
GetModuleFileNameA

api-ms-win-core-synch-l1-1-0

CreateSemaphoreExW
WaitForSingleObject
OpenSemaphoreW
WaitForSingleObjectEx
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
AcquireSRWLockShared
ReleaseSemaphore
ReleaseMutex
CreateMutexExW
InitializeCriticalSectionAndSpinCount
ReleaseSRWLockShared
DeleteCriticalSection

api-ms-win-core-heap-l1-1-0

HeapAlloc
GetProcessHeap
HeapFree

api-ms-win-core-errorhandling-l1-1-0

GetLastError
RaiseException
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcessId
CreateProcessW
TlsAlloc
TlsGetValue
GetCurrentProcess
TlsSetValue
TlsFree
GetCurrentThreadId
TerminateProcess

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
DebugBreak
IsDebuggerPresent

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-string-l1-1-0

WideCharToMultiByte

api-ms-win-core-com-l1-1-0

CoTaskMemFree

api-ms-win-shcore-obsolete-l1-1-0

SHStrDupW

api-ms-win-core-winrt-error-l1-1-0

RoOriginateError
RoOriginateErrorW

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW

api-ms-win-core-psapi-l1-1-0

K32GetModuleFileNameExW

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-synch-l1-2-0

SleepConditionVariableSRW
WakeAllConditionVariable
InitOnceExecuteOnce

api-ms-win-core-winrt-string-l1-1-0

WindowsStringHasEmbeddedNull
WindowsGetStringRawBuffer
WindowsIsStringEmpty

user32

GetAsyncKeyState

api-ms-win-crt-runtime-l1-1-0

_initialize_onexit_table
_register_onexit_function
_initialize_narrow_environment
_crt_atexit
_cexit
_configure_narrow_argv
_seh_filter_dll
_execute_onexit_table
_initterm
_initterm_e
terminate
_invalid_parameter_noinfo
abort
_errno
_invalid_parameter_noinfo_noreturn

api-ms-win-crt-string-l1-1-0

iswspace
strcpy_s
wcsncmp

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vswprintf

api-ms-win-core-rtlsupport-l1-1-0

RtlCaptureContext
RtlPcToFileHeader
RtlLookupFunctionEntry
RtlUnwindEx
RtlVirtualUnwind

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime

api-ms-win-core-interlocked-l1-1-0

InterlockedFlushSList
InitializeSListHead
InterlockedPushEntrySList

api-ms-win-crt-heap-l1-1-0

calloc
malloc
_callnewh
free

oleaut32

SetErrorInfo
GetErrorInfo
SysAllocString
SysStringLen
SysFreeString

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW

Exports

Exports

DllCanUnloadNow
DllGetActivationFactory
DllGetClassObject

Sections

.text
Size: 76KB - Virtual size: 76KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 29KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 500B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 992B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 632B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

49452979ac1edeb49247d1fb3f67dff2

Code Sign

33:00:00:03:ae:2d:35:51:c8:53:8f:55:1d:00:00:00:00:03:aeCertificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

fa:b1:0a:b1:eb:af:3f:f4:ea:28:77:6f:ed:99:0f:67:7b:24:27:16:84:66:f7:f9:8e:fa:09:eb:b3:8f:1d:1fSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-shcore-obsolete-l1-1-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-winrt-string-l1-1-0

user32

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-crt-heap-l1-1-0

oleaut32

api-ms-win-core-libraryloader-l1-2-1

Exports

Exports

Sections

.text Size: 76KB - Virtual size: 76KB

.rdata Size: 29KB - Virtual size: 28KB

.data Size: 1KB - Virtual size: 4KB

.pdata Size: 5KB - Virtual size: 4KB

_RDATA Size: 512B - Virtual size: 500B

.rsrc Size: 1024B - Virtual size: 992B

.reloc Size: 1024B - Virtual size: 632B

33:00:00:03:ae:2d:35:51:c8:53:8f:55:1d:00:00:00:00:03:ae
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

fa:b1:0a:b1:eb:af:3f:f4:ea:28:77:6f:ed:99:0f:67:7b:24:27:16:84:66:f7:f9:8e:fa:09:eb:b3:8f:1d:1f
Signer

.text
Size: 76KB - Virtual size: 76KB

.rdata
Size: 29KB - Virtual size: 28KB

.data
Size: 1KB - Virtual size: 4KB

.pdata
Size: 5KB - Virtual size: 4KB

_RDATA
Size: 512B - Virtual size: 500B

.rsrc
Size: 1024B - Virtual size: 992B

.reloc
Size: 1024B - Virtual size: 632B