NEAS[.]9cf3e84681cd3ae1ab648a52c9d31fd0[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

NEAS.9cf3e84681cd3ae1ab648a52c9d31fd0.exe
Size

1.4MB
MD5

9cf3e84681cd3ae1ab648a52c9d31fd0
SHA1

e5f1f66ae1a098bfcabd82218ef69185c3fc31b7
SHA256

60853b5c90a86701323c20b310f53073612e49d0b8344b8ff813f859c483b59a
SHA512

73b7df4267d61ec91c23ea1a2b23e9a568ca99cea63e8bc004badb5c6a091a663535f8aa5117ff687247f49fb00ca198a8ee5d8d40501403e0f4784c7aa51cc7
SSDEEP

12288:/Pp8nqimx0wlujaytyq9xq86iAGSIzc+2JTAKXBfnn3MVq3EWMyihVCFDV:Hp8nMluWyj9x/6rGS9XBfuq3tMyihqDV

Score

1^/10

Malware Config

Signatures

Files

NEAS.9cf3e84681cd3ae1ab648a52c9d31fd0.exe
.sys windows:5 windows x64

a41f51783d1c81a3b368129aa268d0f2

Code Sign

61:1c:b2:8a:00:00:00:00:00:26
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/04/2011, 19:41

Not After

15/04/2021, 19:51

Subject

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:33:12:30:52:5a:25:a7:f8:10:e5:34:88:b0:aa:40
Certificate

Issuer

CN=DigiCert Assured ID Code Signing CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

25/11/2020, 00:00

Not After

22/02/2024, 23:59

Subject

CN=Tencent Technology(Shenzhen) Company Limited,O=Tencent Technology(Shenzhen) Company Limited,L=Shenzhen,ST=Guangdong Province,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0f:a8:49:06:15:d7:00:a0:be:21:76:fd:c5:ec:6d:bd
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

11/02/2011, 12:00

Not After

10/02/2026, 12:00

Subject

CN=DigiCert Assured ID Code Signing CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

04:09:18:1b:5f:d5:bb:66:75:53:43:b5:6f:95:50:08
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

22/10/2013, 12:00

Not After

22/10/2028, 12:00

Subject

CN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:1c:b2:8a:00:00:00:00:00:26
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/04/2011, 19:41

Not After

15/04/2021, 19:51

Subject

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:a7:f6:86:bc:40:35:4a:70:f2:c2:97:c1:31:5e:f6
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

25/11/2020, 00:00

Not After

22/02/2024, 23:59

Subject

CN=Tencent Technology(Shenzhen) Company Limited,O=Tencent Technology(Shenzhen) Company Limited,L=Shenzhen,ST=Guangdong Province,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

21/09/2022, 00:00

Not After

21/11/2033, 23:59

Subject

CN=DigiCert Timestamp 2022 - 2,O=DigiCert,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

ae:45:02:05:04:04:38:da:92:3b:b7:89:08:a8:72:9d:d7:09:c8:68:e9:65:99:a8:af:fd:56:10:ca:a1:f4:d3
Signer

Actual PE Digest

ae:45:02:05:04:04:38:da:92:3b:b7:89:08:a8:72:9d:d7:09:c8:68:e9:65:99:a8:af:fd:56:10:ca:a1:f4:d3

Digest Algorithm

sha256

PE Digest Matches

true

bf:9d:bd:ad:a8:ff:4a:da:7c:68:eb:52:c8:1d:ee:dc:70:fe:53:16
Signer

Actual PE Digest

bf:9d:bd:ad:a8:ff:4a:da:7c:68:eb:52:c8:1d:ee:dc:70:fe:53:16

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

ExFreePoolWithTag
RtlTimeToSecondsSince1970
ZwReadFile
RtlInitUnicodeString
swprintf
ZwSetInformationFile
KeDelayExecutionThread
ZwWaitForSingleObject
ZwCreateFile
ZwQueryDirectoryFile
PsGetCurrentThreadId
ZwOpenFile
ZwQueryInformationFile
ZwWriteFile
IoFileObjectType
ZwClose
ObReferenceObjectByHandle
ObfDereferenceObject
IoQueryFileDosDeviceName
DbgPrint
PsCreateSystemThread
ZwConnectPort
ZwCreateEvent
ExReleaseFastMutex
ExAcquireFastMutex
KeInitializeEvent
LpcPortObjectType
LpcRequestPort
ZwSetEvent
ZwCreateSection
ZwFsControlFile
ZwCancelIoFile
ZwWaitForMultipleObjects
RtlUnicodeStringToAnsiString
ZwSetValueKey
ZwQueryValueKey
RtlxUnicodeStringToAnsiSize
NlsMbOemCodePageTag
ZwOpenKey
_stricmp
MmIsAddressValid
PsSetCreateProcessNotifyRoutine
IofCompleteRequest
KeWaitForSingleObject
KeSetEvent
IoCreateFile
IoFreeMdl
IoAllocateMdl
RtlAnsiStringToUnicodeString
ExInitializeNPagedLookasideList
ExpInterlockedPushEntrySList
ExpInterlockedPopEntrySList
ExSystemTimeToLocalTime
PsTerminateSystemThread
_vsnprintf
ExQueryDepthSList
RtlTimeToTimeFields
PsThreadType
ExInterlockedRemoveHeadList
PsGetCurrentProcessId
KeWaitForMultipleObjects
ExDeleteNPagedLookasideList
PsGetProcessPeb
PsLookupProcessByProcessId
ExGetPreviousMode
ZwQuerySystemInformation
KeUnstackDetachProcess
IoGetCurrentProcess
ExAllocatePoolWithTag
ZwQueryInformationProcess
PsGetProcessId
KeStackAttachProcess
ProbeForRead
ObOpenObjectByPointer
MmSectionObjectType
_wcsicmp
IoThreadToProcess
PsProcessType
PsGetProcessImageFileName
KeInitializeApc
KeInsertQueueApc
PsGetThreadId
ZwTerminateProcess
ZwQueryInformationThread
PsLookupThreadByThreadId
RtlxAnsiStringToUnicodeSize
MmProbeAndLockPages
isspace
_wcsnicmp
isdigit
isupper
RtlGetVersion
MmUserProbeAddress
ExAcquireResourceExclusiveLite
strncmp
KeLeaveCriticalRegion
strstr
ZwMapViewOfSection
KeEnterCriticalRegion
MmMapViewInSystemSpace
strncpy
ZwUnmapViewOfSection
ExAcquireResourceSharedLite
ExReleaseResourceLite
MmUnmapViewInSystemSpace
ExDeleteResourceLite
ExInitializeResourceLite
KeInitializeMutex
MmFreeMappingAddress
KeReleaseMutex
MmMapLockedPagesWithReservedMapping
MmAllocateMappingAddress
MmUnmapReservedMapping
MmUnlockPages
strchr
MmGetSystemRoutineAddress
atoi
_snprintf
ZwFreeVirtualMemory
ZwSetInformationThread
RtlRandom
ZwAllocateVirtualMemory
ZwSetTimer
ZwCreateTimer
ZwCancelTimer
sprintf
RtlSetBits
RtlInitializeBitMap
ExEventObjectType
MmUnmapLockedPages
IoDeleteSymbolicLink
PsRemoveCreateThreadNotifyRoutine
PsIsSystemThread
IoDeleteDevice
PsSetCreateThreadNotifyRoutine
MmHighestUserAddress
KeDetachProcess
MmMapLockedPagesSpecifyCache
ZwSetInformationProcess
KeAttachProcess
IoCreateSymbolicLink
IoCreateDevice
ExSetTimerResolution
strrchr
ZwOpenEvent
PsSetContextThread
PsGetContextThread
_itoa
ProbeForWrite
ZwYieldExecution
qsort
RtlSecondsSince1970ToTime
__C_specific_handler

hal

KeQueryPerformanceCounter

Sections

.text
Size: 750KB - Virtual size: 750KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 166KB - Virtual size: 165KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 21KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 43KB - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 840B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.tvm0
Size: 412KB - Virtual size: 412KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a41f51783d1c81a3b368129aa268d0f2

Code Sign

61:1c:b2:8a:00:00:00:00:00:26Certificate

Key Usages

0e:33:12:30:52:5a:25:a7:f8:10:e5:34:88:b0:aa:40Certificate

Extended Key Usages

Key Usages

0f:a8:49:06:15:d7:00:a0:be:21:76:fd:c5:ec:6d:bdCertificate

Extended Key Usages

Key Usages

04:09:18:1b:5f:d5:bb:66:75:53:43:b5:6f:95:50:08Certificate

Extended Key Usages

Key Usages

61:1c:b2:8a:00:00:00:00:00:26Certificate

Key Usages

0e:a7:f6:86:bc:40:35:4a:70:f2:c2:97:c1:31:5e:f6Certificate

Extended Key Usages

Key Usages

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5aCertificate

Extended Key Usages

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

ae:45:02:05:04:04:38:da:92:3b:b7:89:08:a8:72:9d:d7:09:c8:68:e9:65:99:a8:af:fd:56:10:ca:a1:f4:d3Signer

bf:9d:bd:ad:a8:ff:4a:da:7c:68:eb:52:c8:1d:ee:dc:70:fe:53:16Signer

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

hal

Sections

.text Size: 750KB - Virtual size: 750KB

.rdata Size: 166KB - Virtual size: 165KB

.data Size: 21KB - Virtual size: 32KB

.pdata Size: 43KB - Virtual size: 42KB

INIT Size: 4KB - Virtual size: 4KB

.rsrc Size: 1024B - Virtual size: 840B

.reloc Size: 17KB - Virtual size: 17KB

.tvm0 Size: 412KB - Virtual size: 412KB

61:1c:b2:8a:00:00:00:00:00:26
Certificate

0e:33:12:30:52:5a:25:a7:f8:10:e5:34:88:b0:aa:40
Certificate

0f:a8:49:06:15:d7:00:a0:be:21:76:fd:c5:ec:6d:bd
Certificate

04:09:18:1b:5f:d5:bb:66:75:53:43:b5:6f:95:50:08
Certificate

61:1c:b2:8a:00:00:00:00:00:26
Certificate

0e:a7:f6:86:bc:40:35:4a:70:f2:c2:97:c1:31:5e:f6
Certificate

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

ae:45:02:05:04:04:38:da:92:3b:b7:89:08:a8:72:9d:d7:09:c8:68:e9:65:99:a8:af:fd:56:10:ca:a1:f4:d3
Signer

bf:9d:bd:ad:a8:ff:4a:da:7c:68:eb:52:c8:1d:ee:dc:70:fe:53:16
Signer

.text
Size: 750KB - Virtual size: 750KB

.rdata
Size: 166KB - Virtual size: 165KB

.data
Size: 21KB - Virtual size: 32KB

.pdata
Size: 43KB - Virtual size: 42KB

INIT
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 1024B - Virtual size: 840B

.reloc
Size: 17KB - Virtual size: 17KB

.tvm0
Size: 412KB - Virtual size: 412KB