cports[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

cports.exe
Size

190KB
MD5

996b2a9ad2af67fbf9629e86a42597c2
SHA1

14f47a3b1fc82806540c5139b37d2f2a834dcd60
SHA256

a82c70fe52f0142b4f72340aefe2a4f54c55cf352e8a042274802f43a9c3c19a
SHA512

47892c4d65871d45c12aaa8a889b2be2d2a87b1a12494a5fa7a35baecf36be72a0103a9e643b0ba77f6805624d3e1be15d5228196a99d0ab24bb11b24d38ab3a
SSDEEP

3072:9tOcwHdlKCt4fasynGmluPVV5ro2EGixRHFNc4q3cxxUw3yL8YXI/1:9CspGGmu9XrGhFNcRuyw1

Score

10^/10

Malware Config

Signatures

Nirsoft 1 IoCs

resource	yara_rule
sample	Nirsoft

Files

cports.exe
.exe windows x64

8070873eb376ae42da6d67ccb058fcb3

Code Sign

42:1a:f2:94:09:84:19:1f:52:0a:4b:c6:24:26:a7:4b
Certificate

Issuer

CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE

Not Before

07/06/2005, 08:09

Not After

30/05/2020, 10:48

Subject

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-1 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

10:70:9d:4f:f5:54:08:d7:30:60:01:d8:ea:91:75:bb
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

24/08/2011, 00:00

Not After

30/05/2020, 10:48

Subject

CN=COMODO Code Signing CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

1a:f0:66:0e:83:7a:35:a2:cd:92:ec:61:3f:c1:5d:b8
Certificate

Issuer

CN=COMODO Code Signing CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

12/09/2014, 00:00

Not After

12/09/2019, 23:59

Subject

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=52583,STREET=5 Hashoshanim st.,L=Ramat Gan,ST=Gush Dan,C=IL

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

bd:1b:1e:45:0b:bd:d5:df:88:67:8e:7d:da:22:3d:17
Certificate

Issuer

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

30/03/2016, 00:00

Not After

30/06/2019, 23:59

Subject

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=52583,STREET=5 Hashoshanim st.,L=Ramat Gan,ST=Gush Dan,C=IL

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09/05/2013, 00:00

Not After

08/05/2028, 23:59

Subject

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

4e:b0:87:8f:cc:24:35:36:b2:d8:c9:f7:bf:39:55:77
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-256 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

19:d6:f2:be:96:38:95:2b:f4:42:02:b6:bb:15:9c:a8:2f:1c:fc:39:28:0b:20:e6:3e:a6:e3:dd:52:8a:3e:04
Signer

Actual PE Digest

19:d6:f2:be:96:38:95:2b:f4:42:02:b6:bb:15:9c:a8:2f:1c:fc:39:28:0b:20:e6:3e:a6:e3:dd:52:8a:3e:04

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

true

Verification

Signing Certificate

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=52583,STREET=5 Hashoshanim st.,L=Ramat Gan,ST=Gush Dan,C=IL

10/04/2018, 13:48
Valid: true

Chain 1

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=52583,STREET=5 Hashoshanim st.,L=Ramat Gan,ST=Gush Dan,C=IL

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

1c:80:11:99:66:9c:04:50:89:5f:a4:98:ad:36:59:42:be:75:8d:65
Signer

Actual PE Digest

1c:80:11:99:66:9c:04:50:89:5f:a4:98:ad:36:59:42:be:75:8d:65

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=52583,STREET=5 Hashoshanim st.,L=Ramat Gan,ST=Gush Dan,C=IL

10/04/2018, 13:48
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

_initterm
__getmainargs
_acmdln
exit
_cexit
_exit
_c_exit
_XcptFilter
__C_specific_handler
_onexit
_mbschr
__setusermatherr
strcmp
malloc
free
modf
_stricmp
strtoul
_memicmp
_strcmpi
strchr
_purecall
strlen
_ultoa
_commode
_fmode
__set_app_type
strrchr
memcpy
memcmp
strncmp
atoi
strcpy
??2@YAPEAX_K@Z
??3@YAXPEAX@Z
memset
strncat
sprintf
__dllonexit
qsort
strcat
_strlwr
_itoa
_atoi64
_mbsicmp
_errno
fopen
fread
fprintf
ferror
ftell
fclose

ws2_32

WSASetLastError
closesocket
gethostbyaddr
WSAAsyncSelect
connect
inet_addr
WSAGetLastError
htons
WSAStartup
getservbyport
WSACleanup

version

GetFileVersionInfoA
GetFileVersionInfoSizeA
VerQueryValueA

comctl32

CreateToolbarEx
ImageList_SetImageCount
ImageList_Create
ImageList_AddMasked
ImageList_ReplaceIcon
ord17
ImageList_Add
ord6

kernel32

CreateEventA
GetThreadSelectorEntry
GetProcessHeap
GetCurrentThread
HeapFree
UnmapViewOfFile
DeviceIoControl
ResumeThread
ReadProcessMemory
GetCurrentProcess
ExitProcess
DeleteFileA
GetCurrentProcessId
WinExec
GetStdHandle
DuplicateHandle
GetPrivateProfileIntA
EnumResourceNamesA
WritePrivateProfileStringA
WriteFile
GetDateFormatA
LoadResource
LoadLibraryExA
ReadFile
GetWindowsDirectoryA
GetTempFileNameA
FormatMessageA
lstrcpyA
GetNumberFormatA
GetModuleFileNameA
LocalFree
GetLocaleInfoA
GetTempPathA
MapViewOfFile
TerminateProcess
GetStartupInfoA
GetPrivateProfileStringA
CreateThread
OpenProcess
CloseHandle
FileTimeToLocalFileTime
WideCharToMultiByte
CompareFileTime
Sleep
GetProcAddress
GetModuleHandleA
GetFileAttributesA
GetTickCount
GetSystemTimeAsFileTime
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
FreeLibrary
FileTimeToSystemTime
LoadLibraryA
GlobalAlloc
CreateFileA
GetFileSize
GlobalLock
FindResourceA
LockResource
GlobalUnlock
GetVersionExA
GetTimeFormatA
SetFilePointer
lstrlenA
GetLastError

user32

SetForegroundWindow
WindowFromPoint
SetTimer
RegisterWindowMessageA
PostQuitMessage
TrackPopupMenu
DrawTextExA
SetCapture
IsDialogMessageA
TranslateMessage
KillTimer
PostMessageA
GetKeyState
DispatchMessageA
ReleaseCapture
GetMessageA
MessageBeep
UpdateWindow
GetSysColor
LoadMenuA
GetMenuItemInfoA
DestroyWindow
EnumChildWindows
CreateDialogParamA
DestroyMenu
GetDlgCtrlID
DialogBoxParamA
LoadStringA
ModifyMenuA
LoadImageA
MapWindowPoints
GetCursorPos
GetSysColorBrush
ShowWindow
ChildWindowFromPoint
SetCursor
LoadCursorA
SendMessageA
GetWindowPlacement
GetSystemMetrics
SetWindowPos
BeginPaint
GetWindowTextLengthA
GetWindow
GetClientRect
SetDlgItemTextA
DrawFrameControl
GetDlgItemTextA
SetWindowTextA
SendDlgItemMessageA
DeferWindowPos
GetWindowRect
GetDlgItemInt
EndDialog
GetDlgItem
EndPaint
CreateWindowExA
InvalidateRect
SetDlgItemInt
SetMenu
LoadAcceleratorsA
DefWindowProcA
TranslateAcceleratorA
MessageBoxA
RegisterClassA
IsWindowVisible
EnumWindows
GetWindowThreadProcessId
GetWindowTextA
LoadIconA
FindWindowA
DestroyIcon
GetWindowLongA
SetWindowLongA
BeginDeferWindowPos
EndDeferWindowPos
SetFocus
GetMenu
MoveWindow
OpenClipboard
EmptyClipboard
GetDC
GetParent
ScreenToClient
CheckMenuItem
EnableMenuItem
ReleaseDC
GetClassNameA
GetMenuItemCount
GetSubMenu
CloseClipboard
GetMenuStringA
CheckMenuRadioItem
SetClipboardData
EnableWindow

gdi32

GetDeviceCaps
SetTextColor
CreateFontIndirectA
SetBkMode
DeleteObject
GetTextExtentPoint32A
SetBkColor
SelectObject

comdlg32

FindTextA
GetSaveFileNameA
ChooseFontA

advapi32

RegDeleteKeyA

shell32

Shell_NotifyIconA
ShellExecuteExA
ShellExecuteA
ExtractIconExA

Sections

.text
Size: 126KB - Virtual size: 125KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 22KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

8070873eb376ae42da6d67ccb058fcb3

Code Sign

42:1a:f2:94:09:84:19:1f:52:0a:4b:c6:24:26:a7:4bCertificate

Key Usages

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0bCertificate

Extended Key Usages

Key Usages

10:70:9d:4f:f5:54:08:d7:30:60:01:d8:ea:91:75:bbCertificate

Extended Key Usages

Key Usages

1a:f0:66:0e:83:7a:35:a2:cd:92:ec:61:3f:c1:5d:b8Certificate

Extended Key Usages

Key Usages

bd:1b:1e:45:0b:bd:d5:df:88:67:8e:7d:da:22:3d:17Certificate

Extended Key Usages

Key Usages

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:afCertificate

Extended Key Usages

Key Usages

4e:b0:87:8f:cc:24:35:36:b2:d8:c9:f7:bf:39:55:77Certificate

Extended Key Usages

Key Usages

19:d6:f2:be:96:38:95:2b:f4:42:02:b6:bb:15:9c:a8:2f:1c:fc:39:28:0b:20:e6:3e:a6:e3:dd:52:8a:3e:04Signer

Signature Validations

Verification

10/04/2018, 13:48 Valid: true

Chain 1

1c:80:11:99:66:9c:04:50:89:5f:a4:98:ad:36:59:42:be:75:8d:65Signer

Signature Validations

Verification

10/04/2018, 13:48 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

ws2_32

version

comctl32

kernel32

user32

gdi32

comdlg32

advapi32

shell32

Sections

.text Size: 126KB - Virtual size: 125KB

.rdata Size: 23KB - Virtual size: 22KB

.data Size: 2KB - Virtual size: 16KB

.pdata Size: 4KB - Virtual size: 4KB

.rsrc Size: 22KB - Virtual size: 21KB

42:1a:f2:94:09:84:19:1f:52:0a:4b:c6:24:26:a7:4b
Certificate

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

10:70:9d:4f:f5:54:08:d7:30:60:01:d8:ea:91:75:bb
Certificate

1a:f0:66:0e:83:7a:35:a2:cd:92:ec:61:3f:c1:5d:b8
Certificate

bd:1b:1e:45:0b:bd:d5:df:88:67:8e:7d:da:22:3d:17
Certificate

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

4e:b0:87:8f:cc:24:35:36:b2:d8:c9:f7:bf:39:55:77
Certificate

19:d6:f2:be:96:38:95:2b:f4:42:02:b6:bb:15:9c:a8:2f:1c:fc:39:28:0b:20:e6:3e:a6:e3:dd:52:8a:3e:04
Signer

10/04/2018, 13:48
Valid: true

1c:80:11:99:66:9c:04:50:89:5f:a4:98:ad:36:59:42:be:75:8d:65
Signer

10/04/2018, 13:48
Valid: false

.text
Size: 126KB - Virtual size: 125KB

.rdata
Size: 23KB - Virtual size: 22KB

.data
Size: 2KB - Virtual size: 16KB

.pdata
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 22KB - Virtual size: 21KB