netpass[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

netpass.exe
Size

124KB
MD5

f627c30429d967082cdcf634aa735410
SHA1

7ab128659ad586761ea68009d59a1ccf1547a039
SHA256

6a87226ed5cca8e072507d6c24289c57757dd96177f329a00b00e40427a1d473
SHA512

99c2510a5c0ff0cf319e5924a61aaf84422397062d6440e549cbc6d2b6e4c4f27432d6ca107ff26a4848b8d9f6a5b1e2d1207a86e2463194c48eaed45ce9a515
SSDEEP

3072:ijT1rSJRqxkGxLB6O3K/ojoTbX7d9cfEc1k2p3gexEo8:SrSXEFaNtgkB

Score

10^/10

Malware Config

Signatures

Nirsoft 1 IoCs

resource	yara_rule
sample	Nirsoft

Files

netpass.exe
.exe windows:4 windows x64

23f3b457054ba53b07f4aab58d53a431

Code Sign

42:1a:f2:94:09:84:19:1f:52:0a:4b:c6:24:26:a7:4b
Certificate

Issuer

CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE

Not Before

07/06/2005, 08:09

Not After

30/05/2020, 10:48

Subject

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-1 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

10:70:9d:4f:f5:54:08:d7:30:60:01:d8:ea:91:75:bb
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

24/08/2011, 00:00

Not After

30/05/2020, 10:48

Subject

CN=COMODO Code Signing CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

1a:f0:66:0e:83:7a:35:a2:cd:92:ec:61:3f:c1:5d:b8
Certificate

Issuer

CN=COMODO Code Signing CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

12/09/2014, 00:00

Not After

12/09/2019, 23:59

Subject

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=52583,STREET=5 Hashoshanim st.,L=Ramat Gan,ST=Gush Dan,C=IL

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

bd:1b:1e:45:0b:bd:d5:df:88:67:8e:7d:da:22:3d:17
Certificate

Issuer

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

30/03/2016, 00:00

Not After

30/06/2019, 23:59

Subject

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=52583,STREET=5 Hashoshanim st.,L=Ramat Gan,ST=Gush Dan,C=IL

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09/05/2013, 00:00

Not After

08/05/2028, 23:59

Subject

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

4e:b0:87:8f:cc:24:35:36:b2:d8:c9:f7:bf:39:55:77
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-256 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

ba:01:48:8f:b3:1d:e0:34:57:eb:42:9b:72:39:84:b4:86:5f:c8:dd:85:a8:1e:66:f8:93:75:a4:11:56:f1:21
Signer

Actual PE Digest

ba:01:48:8f:b3:1d:e0:34:57:eb:42:9b:72:39:84:b4:86:5f:c8:dd:85:a8:1e:66:f8:93:75:a4:11:56:f1:21

Digest Algorithm

sha256

PE Digest Matches

true

56:aa:7f:1f:d9:8d:6c:d7:42:43:1a:3e:a6:68:27:61:12:a5:c1:7e
Signer

Actual PE Digest

56:aa:7f:1f:d9:8d:6c:d7:42:43:1a:3e:a6:68:27:61:12:a5:c1:7e

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

_initterm
__getmainargs
_acmdln
exit
_cexit
_exit
_c_exit
_XcptFilter
__C_specific_handler
_onexit
__dllonexit
_strlwr
_purecall
__setusermatherr
_memicmp
strchr
strrchr
_strcmpi
malloc
free
strtoul
strcmp
_snprintf
memcmp
_commode
_fmode
__set_app_type
??2@YAPEAX_K@Z
??3@YAXPEAX@Z
_strnicmp
wcscpy
wcschr
wcsncmp
_mbsicmp
log
strlen
memcpy
abs
wcslen
_mbscmp
strcpy
memset
_itoa
sprintf
strcat
strncat

comctl32

ImageList_Create
ImageList_SetImageCount
CreateToolbarEx
ord6
ImageList_AddMasked
ord17
ImageList_ReplaceIcon

kernel32

ExitProcess
GetCurrentProcessId
GetCurrentProcess
DeleteFileA
EnumResourceNamesA
WritePrivateProfileStringA
GetPrivateProfileStringA
GetPrivateProfileIntA
MultiByteToWideChar
FormatMessageA
GetSystemDirectoryA
LockResource
ReadFile
GetTempPathA
GetTimeFormatA
CreateRemoteThread
SizeofResource
EnumResourceTypesA
GetStartupInfoA
CloseHandle
FreeLibrary
GetProcAddress
LoadLibraryA
WideCharToMultiByte
CompareFileTime
FileTimeToLocalFileTime
GetModuleHandleA
GetFileSize
VirtualAllocEx
LocalFree
OpenProcess
WriteProcessMemory
ResumeThread
VirtualFreeEx
ReadProcessMemory
WaitForSingleObject
GetLastError
LocalAlloc
FileTimeToSystemTime
GetModuleFileNameA
CreateFileA
GetWindowsDirectoryA
FindNextFileA
FindResourceA
GetDateFormatA
GlobalUnlock
WriteFile
LoadLibraryExA
FindFirstFileA
GlobalAlloc
LoadResource
GetTempFileNameA
GetFileAttributesA
FindClose
GetVersionExA
GlobalLock

user32

GetMessageA
RegisterWindowMessageA
EndDeferWindowPos
GetFocus
DrawTextExA
IsDialogMessageA
DispatchMessageA
TranslateMessage
PostQuitMessage
BeginDeferWindowPos
TrackPopupMenu
GetSysColorBrush
ShowWindow
SetCursor
LoadCursorA
MessageBoxA
GetDlgItem
CreateWindowExA
InvalidateRect
SetDlgItemInt
GetClientRect
SetDlgItemTextA
GetDlgItemTextA
SetWindowTextA
GetSystemMetrics
DeferWindowPos
SendDlgItemMessageA
GetWindowRect
GetDlgItemInt
EndDialog
TranslateAcceleratorA
GetWindowPlacement
SendMessageA
RegisterClassA
UpdateWindow
PostMessageA
SetMenu
LoadAcceleratorsA
SetWindowPos
DefWindowProcA
LoadImageA
LoadIconA
GetWindowLongA
SetWindowLongA
SetFocus
GetDC
GetSysColor
CheckMenuItem
SetClipboardData
EnableWindow
EmptyClipboard
MapWindowPoints
EnableMenuItem
ReleaseDC
OpenClipboard
GetClassNameA
CloseClipboard
GetMenuItemCount
GetSubMenu
GetMenuStringA
GetMenu
GetCursorPos
MoveWindow
GetWindowTextA
LoadMenuA
GetParent
ModifyMenuA
LoadStringA
DialogBoxParamA
GetDlgCtrlID
DestroyMenu
CreateDialogParamA
DestroyWindow
EnumChildWindows
GetMenuItemInfoA
ChildWindowFromPoint

gdi32

GetStockObject
GetTextExtentPoint32A
SetBkColor
GetDeviceCaps
SelectObject
SetTextColor
CreateFontIndirectA
SetBkMode
DeleteObject

comdlg32

FindTextA
GetSaveFileNameA

advapi32

RegDeleteKeyA
RegOpenKeyExA
RegCloseKey
RegQueryValueExA

shell32

SHGetMalloc
SHBrowseForFolderA
ShellExecuteA
SHGetPathFromIDListA

ole32

CoInitialize
CoUninitialize

Sections

.text
Size: 73KB - Virtual size: 72KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

23f3b457054ba53b07f4aab58d53a431

Code Sign

42:1a:f2:94:09:84:19:1f:52:0a:4b:c6:24:26:a7:4bCertificate

Key Usages

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0bCertificate

Extended Key Usages

Key Usages

10:70:9d:4f:f5:54:08:d7:30:60:01:d8:ea:91:75:bbCertificate

Extended Key Usages

Key Usages

1a:f0:66:0e:83:7a:35:a2:cd:92:ec:61:3f:c1:5d:b8Certificate

Extended Key Usages

Key Usages

bd:1b:1e:45:0b:bd:d5:df:88:67:8e:7d:da:22:3d:17Certificate

Extended Key Usages

Key Usages

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:afCertificate

Extended Key Usages

Key Usages

4e:b0:87:8f:cc:24:35:36:b2:d8:c9:f7:bf:39:55:77Certificate

Extended Key Usages

Key Usages

ba:01:48:8f:b3:1d:e0:34:57:eb:42:9b:72:39:84:b4:86:5f:c8:dd:85:a8:1e:66:f8:93:75:a4:11:56:f1:21Signer

56:aa:7f:1f:d9:8d:6c:d7:42:43:1a:3e:a6:68:27:61:12:a5:c1:7eSigner

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

comctl32

kernel32

user32

gdi32

comdlg32

advapi32

shell32

ole32

Sections

.text Size: 73KB - Virtual size: 72KB

.rdata Size: 15KB - Virtual size: 14KB

.data Size: 3KB - Virtual size: 7KB

.pdata Size: 3KB - Virtual size: 3KB

.rsrc Size: 17KB - Virtual size: 17KB

42:1a:f2:94:09:84:19:1f:52:0a:4b:c6:24:26:a7:4b
Certificate

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

10:70:9d:4f:f5:54:08:d7:30:60:01:d8:ea:91:75:bb
Certificate

1a:f0:66:0e:83:7a:35:a2:cd:92:ec:61:3f:c1:5d:b8
Certificate

bd:1b:1e:45:0b:bd:d5:df:88:67:8e:7d:da:22:3d:17
Certificate

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

4e:b0:87:8f:cc:24:35:36:b2:d8:c9:f7:bf:39:55:77
Certificate

ba:01:48:8f:b3:1d:e0:34:57:eb:42:9b:72:39:84:b4:86:5f:c8:dd:85:a8:1e:66:f8:93:75:a4:11:56:f1:21
Signer

56:aa:7f:1f:d9:8d:6c:d7:42:43:1a:3e:a6:68:27:61:12:a5:c1:7e
Signer

.text
Size: 73KB - Virtual size: 72KB

.rdata
Size: 15KB - Virtual size: 14KB

.data
Size: 3KB - Virtual size: 7KB

.pdata
Size: 3KB - Virtual size: 3KB

.rsrc
Size: 17KB - Virtual size: 17KB