NEAS[.]3e4ad53dd6e5ec8b2f2eb053235aa300[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

NEAS.3e4ad53dd6e5ec8b2f2eb053235aa300.exe
Size

237KB
MD5

3e4ad53dd6e5ec8b2f2eb053235aa300
SHA1

571d37c33c50254477371fdca5b4145a83bf843c
SHA256

26004ed01d44f469927b67453d7772daf3f784b4743859711c84cc189ec322a2
SHA512

e730b5790ccb467baa06da2e80c935294a3c7d23e83b2dac4d02bab46bf4292178abf393119d0aa3f4a12ba9d2c08dd4b337d6eb10fae32bb06abe84c7bea83a
SSDEEP

6144:nk2XW4d/xZU25e29ydjYv3Mbd0KYK6yUWnhyAI:nWax6Ce20d0v3MbdPYK6yXhy

Score

1^/10

Malware Config

Signatures

Files

NEAS.3e4ad53dd6e5ec8b2f2eb053235aa300.exe
.exe windows:4 windows x86

cfdc49e110efb97794458dec5a2a6e32

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

08:99:45:31:fd:f1:b2:eb:b8:c7:82:1b:f6:50:fd:cf
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

18/12/2008, 00:00

Not After

18/12/2011, 23:59

Subject

CN=Hewlett-Packard Company,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Hewlett-Packard Company,O=Hewlett-Packard Company,L=Palo Alto,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

bb:9e:78:da:73:fc:13:95:1d:9b:1d:8c:32:0e:65:aa:cc:11:f1:bc
Signer

Actual PE Digest

bb:9e:78:da:73:fc:13:95:1d:9b:1d:8c:32:0e:65:aa:cc:11:f1:bc

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

ws2_32

htons
socket
connect
closesocket
gethostname
WSAGetLastError
gethostbyname
inet_addr
inet_ntoa

wininet

InternetReadFile
InternetCloseHandle
InternetOpenUrlA
InternetOpenA

zsys

ord115
ord90
ord198
ord197
ord177
ord196
ord176
ord175
ord94
ord31
ord93
ord218

kernel32

HeapSize
CreateFileA
SetStdHandle
InterlockedExchange
InitializeCriticalSection
GetLocaleInfoA
GetStringTypeW
GetStringTypeA
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
GetLastError
WideCharToMultiByte
IsBadWritePtr
QueryPerformanceCounter
IsBadCodePtr
GetEnvironmentVariableA
GetShortPathNameA
ExpandEnvironmentStringsA
GetPrivateProfileStringA
GetVersionExA
FreeLibrary
GetProcAddress
LoadLibraryExA
GetSystemDirectoryA
Sleep
GlobalFree
LocalFree
FormatMessageA
GetCurrentProcessId
LoadLibraryA
GetTickCount
CompareStringA
CompareStringW
SetEnvironmentVariableA
SetEndOfFile
GetFileInformationByHandle
UnhandledExceptionFilter
GetModuleFileNameA
PeekNamedPipe
GetFileAttributesA
IsBadReadPtr
HeapAlloc
GetCPInfo
GetOEMCP
GetACP
GetCurrentDirectoryA
GetFullPathNameA
VirtualQuery
GetSystemInfo
VirtualProtect
FlushFileBuffers
GetTimeZoneInformation
SetFilePointer
WriteFile
GetFileType
GetStdHandle
SetHandleCount
LCMapStringW
MultiByteToWideChar
RtlUnwind
RaiseException
HeapFree
SetEnvironmentVariableW
EnterCriticalSection
LeaveCriticalSection
GetSystemTimeAsFileTime
GetTimeFormatA
GetDateFormatA
ExitProcess
GetModuleHandleA
TerminateProcess
GetCurrentProcess
FindClose
FileTimeToSystemTime
FileTimeToLocalFileTime
GetDriveTypeA
FindFirstFileA
DeleteFileA
GetStartupInfoA
GetCommandLineA
TlsAlloc
SetLastError
GetCurrentThreadId
TlsFree
TlsSetValue
TlsGetValue
DeleteCriticalSection
CloseHandle
SetUnhandledExceptionFilter
ReadFile
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
LCMapStringA

advapi32

ReportEventA
RegCloseKey
RegQueryValueExA
RegisterEventSourceA
GetUserNameA
DeregisterEventSource
RegOpenKeyExA

shell32

FindExecutableA

icmp

IcmpSendEcho
IcmpCloseHandle
IcmpCreateFile

js32

JS_DestroyContext
JS_GetStringBytes
JS_ValueToString
JS_CallFunctionName
JS_NewStringCopyZ
JS_DefineFunction
JS_CompileScript
JS_InitStandardClasses
JS_NewObject
JS_NewContext
JS_Init
JS_FinalizeStub
JS_ConvertStub
JS_ResolveStub
JS_EnumerateStub
JS_PropertyStub
JS_Finish

Exports

Exports

AppendOpen
BadPointer
CloseObject_D
CopyVarname
CreateErrorRecord_D
EdmByteOrder
EdmErrorRecord_D
Edm_Add_Buflst_D
Edm_Buffer_Read_D
Edm_Eobj_D
Edm_Eval_Env_Notation
Edm_Eval_Path_Notation_D
Edm_Eval_Shell_Notation
Edm_Eval_Var_D
Edm_Find_Pool_D
Edm_Flast_D
Edm_Heap_Add_D
Edm_Heap_Add_From_Ptr_D
Edm_Heap_Delete_D
Edm_Heap_Point_D
Edm_Heap_Set_D
Edm_Make_Dir
Edm_Make_Unix
Edm_ObjPtr_Save_D
Edm_Obj_Exists_D
Edm_Obj_Exists_Ex_D
Edm_Object_Delete_D
Edm_Object_Save_D
Edm_Query_Heap_D
Edm_Reorg_D
Edm_Set_Trace_D
Edm_Swap_Heaps_D
Edm_Var_Replace_D
Edm_Vars_Exit_D
Edm_copyFile_D
GetDefaultObjectPermissions_D
GetEdmNames
GetMaxMessageSize
IsMBEnabled_D
LowerCase
OS_Info
OpenObject_D
OpenObject_Ex_D
OpenRadiaObject_D
OurCharLength
OurCopyVarname
OurIsSpace
OurLowerCase
OurMixCase
OurPaddedStrcpy
OurPathsepTerm
OurSkipWhiteSpace
OurSplitpath
OurStrcatPathSeparator
OurStrchr
OurStrcmp
OurStrcpy
OurStrcspn
OurStricmp
OurStripPathSeparator
OurStrlen
OurStrncat
OurStrncmp
OurStrncpy
OurStrnicmp
OurStrpbrk
OurStrrchr
OurStrstr
OurStrupr
OurTrim
OurUpcase
OurUpcaseVar
OurVarClientToMgr
OurVarMgrToClient
PathsepTerm
Rad_Var_Replace_D
ResourceTypeName
ResourceType_D
Retrieve_Registry_Value_D
Running_OS
Show_Header_Buffer_D
Show_Header_D
Show_Module_Stats_D
SkipWhiteSpace
StrcatPathSeparator
StripPathSeparator
SynchronizesObjectsFromDisk_D
SynchronizesObjectsToDisk_D
Trim
Upcase
UpcaseVar
ValidPointer
VarYesNo_D
Var_Trim_Field_D
VerifyVarsDLL
WrapTraceLog_D
add_var_D
append_edm_to_filename_D
close_log_file_D
convert_object_to_UTF8_D
convert_object_to_localCP_D
dkey
dump_all_D
dump_vars_D
edmdes_decrypt
edmdes_encrypt
edmdes_initkey
eventlog_D
file_exists_D
get_edm_env_var_D
get_edm_env_var_Ex_D
get_edmenv_D
get_edmenv_adm_D
get_edmenv_data_D
get_edmenv_log_D
get_edmenv_root_D
get_edmenv_root_Ex_D
get_edmenv_sys_D
get_object_version_D
isIdmDll
last_message_D
lookup_msg
novaswab
nvd_tolower
nvd_toupper
open_log_append_D
open_log_file_D
openfile_D
padded_strcpy
pool_unsave_D
pooltab_add_D
pooltab_build_D
pooltab_delete_D
pooltab_err_D
pooltab_put_D
pooltab_replace_D
rename_bad_object_D
splitpath
tracelog_D
tracelog_local_D
trim
v_add_D
v_add_data_D
v_delt_D
v_get_D
v_get_data_D
v_get_integer_D
v_get_localstring_D
v_get_string_D
v_put_D
v_put_data_D
v_set_D
v_set_data_D
v_set_localstring_D
v_set_string_D
var_cpy_D
var_put_D
var_toi_D
vtab_reorg_D

Sections

.text
Size: 160KB - Virtual size: 158KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 44KB - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

cfdc49e110efb97794458dec5a2a6e32

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2Certificate

Extended Key Usages

Key Usages

08:99:45:31:fd:f1:b2:eb:b8:c7:82:1b:f6:50:fd:cfCertificate

Extended Key Usages

Key Usages

bb:9e:78:da:73:fc:13:95:1d:9b:1d:8c:32:0e:65:aa:cc:11:f1:bcSigner

Headers

File Characteristics

Imports

ws2_32

wininet

zsys

kernel32

advapi32

shell32

icmp

js32

Exports

Exports

Sections

.text Size: 160KB - Virtual size: 158KB

.rdata Size: 44KB - Virtual size: 42KB

.data Size: 16KB - Virtual size: 25KB

.rsrc Size: 8KB - Virtual size: 5KB

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

08:99:45:31:fd:f1:b2:eb:b8:c7:82:1b:f6:50:fd:cf
Certificate

bb:9e:78:da:73:fc:13:95:1d:9b:1d:8c:32:0e:65:aa:cc:11:f1:bc
Signer

.text
Size: 160KB - Virtual size: 158KB

.rdata
Size: 44KB - Virtual size: 42KB

.data
Size: 16KB - Virtual size: 25KB

.rsrc
Size: 8KB - Virtual size: 5KB