RogueKillerPEShell[.]dll

Sharing

Copy URL

Twitter E-mail

General

Target

RogueKillerPEShell.dll
Size

3.2MB
MD5

4c2b29faa1dc61f042eaf209407efc1c
SHA1

de8ddbb009339774a175c413039ae8517d7685f3
SHA256

3c649b9ecc218d6ec4051eece717e900a65943161d15cd57d467f49a8e73e489
SHA512

cb8dadf3eaee9870b13df7f3db72ea8353a558530c64b0b7a7ec09033aafdfcf9ba0f3cdac0032143b98e9af36b3e8980a05cd428e57b95346e547e8eafba805
SSDEEP

49152:pS6VqJVtygaZz6ee3mKeIYv1Xdp2liKwzCaqZR/56VM6w7AeYWxpXZwR+iPLbWTq:X7CeN1A6ViA+UbTb

Score

1^/10

Malware Config

Signatures

Files

RogueKillerPEShell.dll
.dll regsvr32 windows:6 windows x64 arch:x64

56053b3f97886aaac249fca86113e9e8

Code Sign

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16
Certificate

Issuer

CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

25-05-2021 00:00

Not After

31-12-2028 23:59

Subject

CN=Sectigo Public Code Signing Root R46,O=Sectigo Limited,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01-08-2022 00:00

Not After

09-11-2031 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

62:1d:6d:0c:52:01:9e:3b:90:79:15:20:89:21:1c:0a
Certificate

Issuer

CN=Sectigo Public Code Signing Root R46,O=Sectigo Limited,C=GB

Not Before

22-03-2021 00:00

Not After

21-03-2036 23:59

Subject

CN=Sectigo Public Code Signing CA R36,O=Sectigo Limited,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

18:39:af:85:74:aa:0e:80:c3:71:d9:80:34:61:dd:7b
Certificate

Issuer

CN=Sectigo Public Code Signing CA R36,O=Sectigo Limited,C=GB

Not Before

13-01-2022 00:00

Not After

12-01-2025 23:59

Subject

CN=ADLICE,O=ADLICE,ST=Loire-Atlantique,C=FR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23-03-2022 00:00

Not After

22-03-2037 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

21-09-2022 00:00

Not After

21-11-2033 23:59

Subject

CN=DigiCert Timestamp 2022 - 2,O=DigiCert,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0d:7f:63:69:09:82:24:c0:ef:29:78:33:c1:c5:13:64:91:a7:3a:2e
Signer

Actual PE Digest

0d:7f:63:69:09:82:24:c0:ef:29:78:33:c1:c5:13:64:91:a7:3a:2e

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

E:\Adlice\RogueKillerPE\x64\RelWithDebInfo\roguekillerpeshell.pdb

Imports

ws2_32

getaddrinfo
freeaddrinfo
getnameinfo
inet_pton
WSAIoctl

kernel32

GetShortPathNameW
DefineDosDeviceW
QueryDosDeviceW
DeviceIoControl
GetVolumeInformationW
SetErrorMode
Sleep
FormatMessageW
FlushFileBuffers
ReadFile
WriteFile
SetHandleInformation
PeekNamedPipe
CreateNamedPipeW
CancelIo
CreateEventW
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
FindClose
FindFirstFileW
FindNextFileW
GetFileAttributesW
GetFileAttributesExW
RemoveDirectoryW
SetFileAttributesW
MoveFileW
MoveFileExW
SetEvent
ResetEvent
WaitForMultipleObjects
GetDiskFreeSpaceW
GetDriveTypeW
GetFileType
GetVolumePathNameW
SetFilePointerEx
GetVolumeNameForVolumeMountPointW
IsBadReadPtr
IsBadWritePtr
RtlCaptureContext
GetEnvironmentVariableW
OutputDebugStringA
GetLongPathNameW
GetVersionExA
GetCurrentThreadId
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleExW
GetStdHandle
SwitchToFiber
DeleteFiber
CreateFiber
QueryPerformanceCounter
GetSystemTimeAsFileTime
ConvertFiberToThread
ConvertThreadToFiber
LoadLibraryA
GetConsoleMode
SetConsoleMode
ReadConsoleA
ReadConsoleW
FormatMessageA
InitializeCriticalSectionEx
SleepEx
QueryPerformanceFrequency
GetSystemDirectoryA
VerifyVersionInfoA
WaitForSingleObjectEx
ExpandEnvironmentStringsA
CreateFileMappingA
DecodePointer
GetFullPathNameW
GetCurrentDirectoryW
K32GetModuleInformation
GetSystemTime
Module32NextW
Module32FirstW
GetCPInfo
CompareStringW
LCMapStringW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
RtlPcToFileHeader
RtlUnwindEx
CreateThread
RaiseException
GetTimeFormatW
GetDateFormatW
SystemTimeToFileTime
FileTimeToSystemTime
InterlockedFlushSList
LoadLibraryExW
ExitProcess
SetConsoleCtrlHandler
ExitThread
FreeLibraryAndExitThread
GetStringTypeW
HeapReAlloc
GetConsoleCP
GetACP
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
SetStdHandle
WriteConsoleW
SetEnvironmentVariableA
SystemTimeToTzSpecificLocalTime
SetEndOfFile
HeapSize
GetTimeZoneInformation
FindFirstFileExA
FindNextFileA
GetComputerNameW
GetSystemDirectoryW
IsValidCodePage
ExpandEnvironmentStringsW
LocalAlloc
LocalFree
GetTickCount
UnmapViewOfFile
MapViewOfFile
CreateFileW
GetVersionExW
VerSetConditionMask
LoadLibraryW
FreeLibrary
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
K32GetProcessImageFileNameW
K32GetModuleFileNameExW
K32GetModuleBaseNameW
GetProcAddress
GetModuleHandleA
OpenProcess
GetProcessId
CreateProcessW
TerminateThread
TerminateProcess
GetCurrentProcessId
GetCurrentProcess
WaitForSingleObject
SetLastError
CloseHandle
DeleteFileW
WideCharToMultiByte
MultiByteToWideChar
lstrcmpiA
GlobalUnlock
GlobalLock
GetProcessHeap
HeapFree
HeapAlloc
GetThreadLocale
GetLocaleInfoW
GetModuleHandleW
lstrlenW
GetModuleFileNameW
DisableThreadLibraryCalls
GetLastError
EncodePointer
GetModuleFileNameA
GetOEMCP
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW

user32

GetSystemMetrics
SetRect
LoadIconW
DestroyIcon
DrawIconEx
GetIconInfo
InsertMenuW
SetMenuItemBitmaps
GetProcessWindowStation
GetUserObjectInformationW
MessageBoxW
SendMessageA
FindWindowA
GetDC
ReleaseDC

gdi32

DeleteDC
DeleteObject
GetDIBits
SelectObject
CreateDIBSection
CreateCompatibleDC

shell32

ord51
SHGetFolderPathW
ShellExecuteExW
DragQueryFileW

ole32

ReleaseStgMedium
StringFromGUID2

advapi32

RegOpenKeyExW
CryptEnumProvidersW
CryptSignHashW
CryptDestroyHash
CryptCreateHash
CryptDecrypt
CryptExportKey
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
CryptDestroyKey
CryptReleaseContext
CryptAcquireContextW
ReportEventW
RegisterEventSourceW
DeregisterEventSource
GetLengthSid
CopySid
GetUserNameW
ConvertStringSidToSidW
ConvertSidToStringSidW
SetNamedSecurityInfoW
RegSetKeySecurity
RegGetKeySecurity
LookupAccountSidW
IsValidSid
SetEntriesInAclW
SetSecurityDescriptorOwner
SetSecurityDescriptorDacl
IsValidSecurityDescriptor
InitializeSecurityDescriptor
InitializeAcl
GetTokenInformation
FreeSid
CheckTokenMembership
AllocateAndInitializeSid
LookupPrivilegeValueW
DuplicateTokenEx
AdjustTokenPrivileges
OpenProcessToken
CreateProcessAsUserW
RegQueryInfoKeyW
RegEnumValueW
RegEnumKeyExW
RegDeleteValueW
RegDeleteKeyW
RegSetValueExW
RegQueryValueExW
RegCreateKeyExW
RegCloseKey

shlwapi

StrDupW
PathAppendW
StrCmpIW
ord219
PathUnExpandEnvStringsW
PathUnquoteSpacesW
PathSearchAndQualifyW
PathRemoveFileSpecW
PathRemoveBlanksW
PathRemoveBackslashW
PathRemoveArgsW
PathQuoteSpacesW
PathIsRelativeW
PathIsPrefixW
PathIsDirectoryW
PathGetDriveNumberW
PathGetArgsW
PathFindFileNameW
PathFindExtensionW
PathFileExistsW

ntdll

RtlVirtualUnwind
RtlLookupFunctionEntry
NtQueryKey
NtDeleteValueKey
NtOpenKey
NtDeleteKey

userenv

GetProfilesDirectoryW
CreateEnvironmentBlock
DestroyEnvironmentBlock

wininet

InternetGetConnectedState

mpr

WNetGetConnectionW

wtsapi32

WTSEnumerateSessionsW

wsock32

getsockopt
inet_ntoa
gethostname
sendto
recvfrom
htonl
select
__WSAFDIsSet
htons
getpeername
socket
setsockopt
listen
connect
closesocket
bind
accept
WSASetLastError
send
recv
WSAGetLastError
WSACleanup
WSAStartup
ntohs
shutdown
getsockname

crypt32

CertEnumCertificatesInStore
CertGetCertificateContextProperty
CertDuplicateCertificateContext
CertOpenStore
CertFreeCertificateContext
CertFindCertificateInStore
CertCloseStore

bcrypt

BCryptGenRandom

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 2.1MB - Virtual size: 2.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 867KB - Virtual size: 867KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 31KB - Virtual size: 59KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 117KB - Virtual size: 117KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 512B - Virtual size: 360B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 53KB - Virtual size: 52KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 29KB - Virtual size: 29KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

56053b3f97886aaac249fca86113e9e8

Code Sign

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16Certificate

Extended Key Usages

Key Usages

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

62:1d:6d:0c:52:01:9e:3b:90:79:15:20:89:21:1c:0aCertificate

Extended Key Usages

Key Usages

18:39:af:85:74:aa:0e:80:c3:71:d9:80:34:61:dd:7bCertificate

Extended Key Usages

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5aCertificate

Extended Key Usages

Key Usages

0d:7f:63:69:09:82:24:c0:ef:29:78:33:c1:c5:13:64:91:a7:3a:2eSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ws2_32

kernel32

user32

gdi32

shell32

ole32

advapi32

shlwapi

ntdll

userenv

wininet

mpr

wtsapi32

wsock32

crypt32

bcrypt

Exports

Exports

Sections

.text Size: 2.1MB - Virtual size: 2.1MB

.rdata Size: 867KB - Virtual size: 867KB

.data Size: 31KB - Virtual size: 59KB

.pdata Size: 117KB - Virtual size: 117KB

.gfids Size: 512B - Virtual size: 360B

.tls Size: 512B - Virtual size: 9B

.rsrc Size: 53KB - Virtual size: 52KB

.reloc Size: 29KB - Virtual size: 29KB

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

62:1d:6d:0c:52:01:9e:3b:90:79:15:20:89:21:1c:0a
Certificate

18:39:af:85:74:aa:0e:80:c3:71:d9:80:34:61:dd:7b
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

0d:7f:63:69:09:82:24:c0:ef:29:78:33:c1:c5:13:64:91:a7:3a:2e
Signer

.text
Size: 2.1MB - Virtual size: 2.1MB

.rdata
Size: 867KB - Virtual size: 867KB

.data
Size: 31KB - Virtual size: 59KB

.pdata
Size: 117KB - Virtual size: 117KB

.gfids
Size: 512B - Virtual size: 360B

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 53KB - Virtual size: 52KB

.reloc
Size: 29KB - Virtual size: 29KB