iertutil.dll

  • File Path: C:\Windows\SysWOW64\iertutil.dll
  • Description: Run time utility for Internet Explorer

Hashes

Type Hash
MD5 F44F1DC4271BBCBDB686A4BBAC32DDA6
SHA1 9E6A06599DD1CDB70F573C00B1074C1B5AAF8ACA
SHA256 83059D16408D52752D0D93E5CAD700754EF4624A13B638068D258FFFEDE5C89D
SHA384 B8A67B1DA7AA05C22F1A8C9B18CB3398C55D7BE7EE907037DCF0A732FF727E58A907B8CB4AA1BA1E699E2A86EBE81F7A
SHA512 A53E6CE9A8BA6861AB48A4098A5EA372D377AF566F4007B8F0F713729F12310FC270DEF3A77530677722B1C03E2D6718285B681F900EA5ED615FB81D38B8B801
SSDEEP 24576:z3tVM3LL058cLfOeNjS1n/bwInVv+nV/L4B++IXNvUnZVKcuYSCpoOKO4e03:z3v2L28czRabf8nGNoiZeCpoOKO903
IMP E1B3FD8552AB8E464B45D5D1B6F29F0E
PESHA1 6C0D0BF401120F6C35B9D19329D4400B2C03606D
PE256 B3FC0EEFDAAE509F02DF20928C474F2D38A0595C462E65C717456ABA0554F08E

DLL Exports:

Function Name Ordinal Type
IUriBuilderInternalCreateDomain 103 Exported Function
IsStringProperty 185 Exported Function
OutOfProcessExceptionEventDebuggerLaunchCallback 105 Exported Function
OutOfProcessExceptionEventCallback 104 Exported Function
IsDWORDProperty 184 Exported Function
IEGetTabWindowExports 47 Exported Function
IEGetProcessModule 31 Exported Function
IntlPercentEncodeNormalize 183 Exported Function
ImpersonateUser 182 Exported Function
OutOfProcessExceptionEventSignatureCallback 106 Exported Function
RetiredOrdinal 900 Exported Function
ResetIERegistrySettings 109 Exported Function
UriFromHostAndScheme 113 Exported Function
RevertImpersonate 189 Exported Function
ResetIEExtensibility 108 Exported Function
PrivateCoInternetCombineIUri 187 Exported Function
PrivateCoInternetCanonicalizeIUri 186 Exported Function
ResetIDNLanguageData 107 Exported Function
PrivateCoInternetParseIUri 188 Exported Function
IEGetFrameUtilExports 27 Exported Function
DllCanUnloadNow 119 Exported Function
CreateUriWithFragment 118 Exported Function
DllGetClassObject 121 Exported Function
DllGetActivationFactory 120 Exported Function
CreateUriPriv 117 Exported Function
CreateStringHashN 22 Exported Function
CreateIUriBuilder 114 Exported Function
CreateUriFromMultiByteString 116 Exported Function
CreateUri 115 Exported Function
FastMimeGetFileExtension 122 Exported Function
GetPortFromUrlScheme 179 Exported Function
GetIUriPriv2 136 Exported Function
GetPropertyName 181 Exported Function
GetPropertyFromName 180 Exported Function
GetIUriPriv 145 Exported Function
FastMimeLookupKnownType 132 Exported Function
FastMimeGetIsMimeFilterEnabled 131 Exported Function
GetIDNSettingsForIE 23 Exported Function
FastMimeSetIsMimeFilterEnabled 133 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: IeRtUtil.dll.mui
  • Product Name: Internet Explorer
  • Company Name: Microsoft Corporation
  • File Version: 11.00.19041.1 (WinBuild.160101.0800)
  • Product Version: 11.00.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/83059d16408d52752d0d93e5cad700754ef4624a13b638068d258fffede5c89d/detection/

Possible Misuse

The following table contains possible examples of iertutil.dll being misused. While iertutil.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_dcom_iertutil_dll_hijack.yml title: T1021 DCOM InternetExplorer.Application Iertutil DLL Hijack DRL 1.0
sigma win_dcom_iertutil_dll_hijack.yml description: Detects a threat actor creating a file named iertutil.dll in the C:\Program Files\Internet Explorer` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.`{:.highlight .language-yaml} DRL 1.0
sigma win_dcom_iertutil_dll_hijack.yml RelativeTargetName\|endswith: '\Internet Explorer\iertutil.dll' DRL 1.0
sigma sysmon_dcom_iertutil_dll_hijack.yml title: T1021 DCOM InternetExplorer.Application Iertutil DLL Hijack DRL 1.0
sigma sysmon_dcom_iertutil_dll_hijack.yml description: Detects a threat actor creating a file named iertutil.dll in the C:\Program Files\Internet Explorer` directory over the network and loading it for a DCOM InternetExplorer DLL Hijack scenario.`{:.highlight .language-yaml} DRL 1.0
sigma sysmon_dcom_iertutil_dll_hijack.yml TargetFilename\|endswith: '\Internet Explorer\iertutil.dll' DRL 1.0
sigma sysmon_dcom_iertutil_dll_hijack.yml ImageLoaded\|endswith: '\Internet Explorer\iertutil.dll' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.