USBDeview[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

USBDeview.exe
Size

190KB
MD5

913fa13999e66dc7ca65e0f3e15d757c
SHA1

799b6c725ba6cc018072beef172cc2649f735405
SHA256

ac856a547eb603c9e54bb559dcc9a000345e4a4c4263202734a8a0e725a2b492
SHA512

b3290b57b9a81643a81448a5e05d1d6f573938bca89f0a0a05123c1587546fb62d19b0e4acd32b7114c4846b13e91f16575e7c551ffe3591de4416239daaa496
SSDEEP

3072:+Ezl7TG3I/VSLjMzMwX4xPKaTAjmC1xP1nq9LBB1mLWdcmf563Lk1TtNCP7g8gtE:jzltSL4t4nTAjuVAWxR6bOJNC4kHT

Score

10^/10

Malware Config

Signatures

Nirsoft 1 IoCs

resource	yara_rule
sample	Nirsoft

Files

USBDeview.exe
.exe windows x64

7f6d6c22698845fce190590da793f13b

Code Sign

f7:a0:a7:30:c8:7d:94:cd:83:02:e3:ea:7f:66:1b:b7
Certificate

Issuer

CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09/09/2019, 00:00

Not After

09/09/2023, 23:59

Subject

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=7135117,STREET=Dakar 21\, Unit 82,L=Lod,C=IL

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02/11/2018, 00:00

Not After

31/12/2030, 23:59

Subject

CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

90:39:7f:9a:d2:4a:3a:13:f2:bd:91:5f:08:38:a9:43
Certificate

Issuer

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

11/05/2022, 00:00

Not After

10/08/2033, 23:59

Subject

CN=Sectigo RSA Time Stamping Signer #3,O=Sectigo Limited,ST=Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02/05/2019, 00:00

Not After

18/01/2038, 23:59

Subject

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a3:3d:f2:5a:fe:2c:e6:a8:07:c5:b4:d2:29:8b:1e:d5:3f:9a:f6:aa:13:d4:fd:d0:7b:a1:61:0f:49:21:03:3a
Signer

Actual PE Digest

a3:3d:f2:5a:fe:2c:e6:a8:07:c5:b4:d2:29:8b:1e:d5:3f:9a:f6:aa:13:d4:fd:d0:7b:a1:61:0f:49:21:03:3a

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

true

Verification

Signing Certificate

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=7135117,STREET=Dakar 21\, Unit 82,L=Lod,C=IL

04/11/2022, 15:40
Valid: true

Chain 1

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=7135117,STREET=Dakar 21\, Unit 82,L=Lod,C=IL

CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

__getmainargs
_acmdln
exit
_cexit
_exit
_c_exit
_XcptFilter
__C_specific_handler
_onexit
_initterm
__setusermatherr
_commode
_fmode
__set_app_type
__dllonexit
atol
_mbsrchr
_mbsicmp
qsort
_strlwr
_mbschr
memmove
_strnicmp
strrchr
strchr
strcmp
strtoul
malloc
free
_strcmpi
modf
_memicmp
memcmp
srand
rand
abs
_strupr
_itoa
??2@YAPEAX_K@Z
??3@YAXPEAX@Z
memcpy
strlen
_purecall
_stricmp
_snprintf
atoi
strcpy
memset
strcat
strncat
sprintf

comctl32

CreateToolbarEx
ord6
ImageList_SetImageCount
ImageList_Create
ImageList_AddMasked
ImageList_Add

ws2_32

WSASetLastError
closesocket
send
WSAAsyncSelect
WSAAsyncGetHostByName
connect
inet_addr
htonl
WSAGetLastError
htons
bind
socket
WSAStartup
WSACleanup

kernel32

Process32Next
OpenProcess
SetEnvironmentVariableA
GetCurrentThreadId
DeviceIoControl
GetStartupInfoA
GetProcAddress
CreateToolhelp32Snapshot
Process32First
GetCurrentProcess
ExitProcess
GetCurrentProcessId
ReadProcessMemory
CreateProcessA
Sleep
SetErrorMode
FreeLibrary
WinExec
GetComputerNameA
GetModuleFileNameA
GetLastError
CompareFileTime
GetPrivateProfileStringA
SystemTimeToFileTime
GetModuleHandleA
FileTimeToSystemTime
LoadLibraryA
GetDiskFreeSpaceExA
GetLogicalDrives
GetWindowsDirectoryA
GetDriveTypeA
ReadFile
FlushFileBuffers
CloseHandle
DeleteFileA
CreateThread
CreateFileA
GetTickCount
WriteFile
SystemTimeToTzSpecificLocalTime
FileTimeToLocalFileTime
GetDateFormatA
GetTempPathA
LocalFree
GetSystemDirectoryA
GetTempFileNameA
GetFileSize
LoadLibraryExA
GlobalAlloc
GlobalLock
WideCharToMultiByte
MultiByteToWideChar
GetTimeFormatA
GlobalUnlock
GetFileAttributesA
GetVersionExA
FormatMessageA
GetPrivateProfileIntA
WritePrivateProfileStringA
EnumResourceNamesA
GetStdHandle
ExpandEnvironmentStringsA

user32

EnumWindows
GetWindowThreadProcessId
SetForegroundWindow
AttachThreadInput
SetTimer
GetSysColorBrush
ShowWindow
LoadCursorA
RemoveMenu
ReleaseDC
GetDC
SetCursor
SetDlgItemInt
BeginPaint
GetWindow
GetClientRect
SetDlgItemTextA
DrawFrameControl
GetDlgItemTextA
SetWindowTextA
GetSystemMetrics
DeferWindowPos
SendDlgItemMessageA
GetWindowRect
GetDlgItemInt
EndDialog
GetDlgItem
CreateWindowExA
EndPaint
InvalidateRect
DefWindowProcA
TranslateAcceleratorA
MessageBoxA
GetWindowPlacement
SendMessageA
RegisterClassA
UpdateWindow
PostMessageA
SetMenu
LoadAcceleratorsA
SetWindowPos
LoadImageA
GetSysColor
GetWindowLongA
SetWindowLongA
EndDeferWindowPos
BeginDeferWindowPos
SetFocus
GetWindowTextA
CheckMenuRadioItem
MoveWindow
OpenClipboard
CheckMenuItem
GetMenu
EmptyClipboard
EnableMenuItem
InsertMenuItemA
GetMenuItemCount
GetParent
SetClipboardData
GetMenuStringA
EnableWindow
MapWindowPoints
GetSubMenu
GetCursorPos
GetClassNameA
CloseClipboard
LoadMenuA
LoadStringA
ModifyMenuA
DialogBoxParamA
GetDlgCtrlID
DestroyMenu
CreateDialogParamA
DestroyWindow
EnumChildWindows
GetMenuItemInfoA
CreatePopupMenu
LoadIconA
SetMenuItemInfoA
GetKeyState
GetMessageA
TranslateMessage
IsDialogMessageA
KillTimer
DrawTextExA
InsertMenuA
RegisterWindowMessageA
TrackPopupMenu
DispatchMessageA
PostQuitMessage
ChildWindowFromPoint

gdi32

GetTextExtentPoint32A
CreateCompatibleBitmap
SetTextColor
StretchBlt
GetStockObject
SetBkColor
GetPixel
GetObjectA
DeleteObject
SetBkMode
GetDeviceCaps
CreateFontIndirectA
CreateCompatibleDC
SelectObject
SetPixel
SetStretchBltMode
DeleteDC

comdlg32

ChooseFontA
FindTextA
GetSaveFileNameA

advapi32

RegCreateKeyA
OpenSCManagerA
ControlService
QueryServiceStatus
RegCloseKey
StartServiceA
ChangeServiceConfigA
OpenServiceA
CloseServiceHandle
RegLoadKeyA
RegUnLoadKeyA
RegConnectRegistryA
RegEnumKeyExA
RegQueryValueExA
RegSetValueExA
RegDeleteValueA
RegQueryInfoKeyA
RegOpenKeyExA
RegDeleteKeyA
CryptReleaseContext
CryptHashData
CryptDestroyHash
CryptGetHashParam
CryptCreateHash
CryptAcquireContextA

shell32

SHGetFileInfoA
ShellExecuteExA
ShellExecuteA
Shell_NotifyIconA

ole32

CoCreateInstance

Sections

.text
Size: 125KB - Virtual size: 125KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 22KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

7f6d6c22698845fce190590da793f13b

Code Sign

f7:a0:a7:30:c8:7d:94:cd:83:02:e3:ea:7f:66:1b:b7Certificate

Extended Key Usages

Key Usages

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6aCertificate

Extended Key Usages

Key Usages

90:39:7f:9a:d2:4a:3a:13:f2:bd:91:5f:08:38:a9:43Certificate

Extended Key Usages

Key Usages

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9Certificate

Extended Key Usages

Key Usages

a3:3d:f2:5a:fe:2c:e6:a8:07:c5:b4:d2:29:8b:1e:d5:3f:9a:f6:aa:13:d4:fd:d0:7b:a1:61:0f:49:21:03:3aSigner

Signature Validations

Verification

04/11/2022, 15:40 Valid: true

Chain 1

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

comctl32

ws2_32

kernel32

user32

gdi32

comdlg32

advapi32

shell32

ole32

Sections

.text Size: 125KB - Virtual size: 125KB

.rdata Size: 22KB - Virtual size: 22KB

.data Size: 2KB - Virtual size: 6KB

.pdata Size: 4KB - Virtual size: 4KB

.rsrc Size: 26KB - Virtual size: 26KB

f7:a0:a7:30:c8:7d:94:cd:83:02:e3:ea:7f:66:1b:b7
Certificate

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
Certificate

90:39:7f:9a:d2:4a:3a:13:f2:bd:91:5f:08:38:a9:43
Certificate

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

a3:3d:f2:5a:fe:2c:e6:a8:07:c5:b4:d2:29:8b:1e:d5:3f:9a:f6:aa:13:d4:fd:d0:7b:a1:61:0f:49:21:03:3a
Signer

04/11/2022, 15:40
Valid: true

.text
Size: 125KB - Virtual size: 125KB

.rdata
Size: 22KB - Virtual size: 22KB

.data
Size: 2KB - Virtual size: 6KB

.pdata
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 26KB - Virtual size: 26KB