iertutil.dll

  • File Path: C:\Windows\system32\iertutil.dll
  • Description: Run time utility for Internet Explorer

Hashes

Type Hash
MD5 F0367DE97CFA284889266C521144670F
SHA1 913FC012981D2BEBA1CD039AA0B8F1580CCFB379
SHA256 7D80927EC6FA8CF98BE6BFDC50C8C9DE221DF452E1144D6BF91F9EFA74264B77
SHA384 29C9633D51BE5CF08E01D8BDB15B08944191373CC4DAAD4319B3A45E167EA561ADB962104ECFEEDEC907941E8C675AC2
SHA512 4A2DAEA2A52C334FA673EC0448642D59BCF67237779A30FF28A59F6BDD5BB8E92D34EF7418C491335827C111DB3404AB95A548DFC108868BDF59977BB9BF9A5F
SSDEEP 24576:vEOh5bMDJ7U1uXt56kNIfg3iJapoyDBU7NnPbwY34neqJ7oaK6X:vd5gJ+UE0Mbf4lJ7oaK6
IMP B852FEA8B6523C4DCD675F6BB00E682C
PESHA1 C0A1C9DEDD7E2EEE57E52A1B33ADD4541D3ED69F
PE256 F701E823108AC92EE74FAA2FBD92F4A1FB1D24546CF6046927AF701D3F5945AF

DLL Exports:

Function Name Ordinal Type
IUriBuilderInternalCreateDomain 103 Exported Function
IsStringProperty 185 Exported Function
OutOfProcessExceptionEventDebuggerLaunchCallback 105 Exported Function
OutOfProcessExceptionEventCallback 104 Exported Function
IsDWORDProperty 184 Exported Function
IEGetTabWindowExports 47 Exported Function
IEGetProcessModule 31 Exported Function
IntlPercentEncodeNormalize 183 Exported Function
ImpersonateUser 182 Exported Function
OutOfProcessExceptionEventSignatureCallback 106 Exported Function
RetiredOrdinal 900 Exported Function
ResetIERegistrySettings 109 Exported Function
UriFromHostAndScheme 113 Exported Function
RevertImpersonate 189 Exported Function
ResetIEExtensibility 108 Exported Function
PrivateCoInternetCombineIUri 187 Exported Function
PrivateCoInternetCanonicalizeIUri 186 Exported Function
ResetIDNLanguageData 107 Exported Function
PrivateCoInternetParseIUri 188 Exported Function
IEGetFrameUtilExports 27 Exported Function
DllCanUnloadNow 119 Exported Function
CreateUriWithFragment 118 Exported Function
DllGetClassObject 121 Exported Function
DllGetActivationFactory 120 Exported Function
CreateUriPriv 117 Exported Function
CreateStringHashN 22 Exported Function
CreateIUriBuilder 114 Exported Function
CreateUriFromMultiByteString 116 Exported Function
CreateUri 115 Exported Function
FastMimeGetFileExtension 122 Exported Function
GetPortFromUrlScheme 179 Exported Function
GetIUriPriv2 145 Exported Function
GetPropertyName 181 Exported Function
GetPropertyFromName 180 Exported Function
GetIUriPriv 136 Exported Function
FastMimeLookupKnownType 132 Exported Function
FastMimeGetIsMimeFilterEnabled 131 Exported Function
GetIDNSettingsForIE 23 Exported Function
FastMimeSetIsMimeFilterEnabled 133 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: IeRtUtil.dll.mui
  • Product Name: Internet Explorer
  • Company Name: Microsoft Corporation
  • File Version: 11.00.19041.1 (WinBuild.160101.0800)
  • Product Version: 11.00.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/69
  • VirusTotal Link: https://www.virustotal.com/gui/file/7d80927ec6fa8cf98be6bfdc50c8c9de221df452e1144d6bf91f9efa74264b77/detection/

Possible Misuse

The following table contains possible examples of iertutil.dll being misused. While iertutil.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_dcom_iertutil_dll_hijack.yml title: T1021 DCOM InternetExplorer.Application Iertutil DLL Hijack DRL 1.0
sigma win_dcom_iertutil_dll_hijack.yml description: Detects a threat actor creating a file named iertutil.dll in the C:\Program Files\Internet Explorer` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.`{:.highlight .language-yaml} DRL 1.0
sigma win_dcom_iertutil_dll_hijack.yml RelativeTargetName\|endswith: '\Internet Explorer\iertutil.dll' DRL 1.0
sigma sysmon_dcom_iertutil_dll_hijack.yml title: T1021 DCOM InternetExplorer.Application Iertutil DLL Hijack DRL 1.0
sigma sysmon_dcom_iertutil_dll_hijack.yml description: Detects a threat actor creating a file named iertutil.dll in the C:\Program Files\Internet Explorer` directory over the network and loading it for a DCOM InternetExplorer DLL Hijack scenario.`{:.highlight .language-yaml} DRL 1.0
sigma sysmon_dcom_iertutil_dll_hijack.yml TargetFilename\|endswith: '\Internet Explorer\iertutil.dll' DRL 1.0
sigma sysmon_dcom_iertutil_dll_hijack.yml ImageLoaded\|endswith: '\Internet Explorer\iertutil.dll' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.