NEAS[.]548649233816343b8d48783991cf06e0[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

NEAS.548649233816343b8d48783991cf06e0.exe
Size

819KB
MD5

548649233816343b8d48783991cf06e0
SHA1

8f4c828221ae3e38c19f31a9ce04fe99bfead67f
SHA256

19e4a0cb41766d0bc77e0463afdfaab468302920137e8f85b65e56628dfa5cf1
SHA512

2671bcedb0709e1aa0201879414eaef04b42bfe5b127bbdae16d02790130e40f34684e371aba5e323c697b843ae8197d256d926f5a2704a33e112ca32f3d53b4
SSDEEP

24576:uggoepOpeJeCxLBRwsLMEMdAaERf+WaaBN5NR2a8vaS:MIsic9LaaBNzR2FvaS

Score

1^/10

Malware Config

Signatures

Files

NEAS.548649233816343b8d48783991cf06e0.exe
.dll windows:4 windows x86

faa44c90a7e3c424c4e7e613283f53f2

Code Sign

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:ed
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

01/05/2012, 00:00

Not After

31/12/2012, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G3,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

33:65:50:08:79:ad:73:e2:30:b9:e0:1d:0d:7f:ac:91
Certificate

Issuer

CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA,1.2.840.113549.1.9.1=#0c197072656d69756d2d736572766572407468617774652e636f6d

Not Before

17/11/2006, 00:00

Not After

30/12/2020, 23:59

Subject

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

11:d2:08:d5:87:8e:4d:25:73:4d:33:5f:71:c6:4a:5d
Certificate

Issuer

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Not Before

06/05/2012, 00:00

Not After

05/06/2013, 23:59

Subject

CN=上海瑞创网络科技股份有限公司,OU=Provided by TrustAsia,O=上海瑞创网络科技股份有限公司,L=上海,ST=上海,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

c4:6b:5d:e4:5e:72:88:91:50:c4:fd:3c:f4:74:b1:0d:a0:26:9a:8e
Signer

Actual PE Digest

c4:6b:5d:e4:5e:72:88:91:50:c4:fd:3c:f4:74:b1:0d:a0:26:9a:8e

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

CreateDirectoryW
RemoveDirectoryW
DeleteFileW
ReleaseMutex
CreateMutexW
GetLongPathNameW
SetFileAttributesW
GetFullPathNameW
GetTempPathW
GetTempFileNameW
GetWindowsDirectoryW
FindFirstFileW
FindClose
FindNextFileW
WriteFile
ReadFile
GlobalLock
GlobalUnlock
GetUserDefaultLangID
ExpandEnvironmentStringsW
VirtualAllocEx
VirtualFreeEx
ReadProcessMemory
WriteProcessMemory
GetVersionExW
GetFileAttributesW
TerminateThread
CreateNamedPipeW
FlushInstructionCache
GlobalAddAtomW
ProcessIdToSessionId
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
PeekNamedPipe
GlobalAlloc
GlobalFree
VirtualAlloc
VirtualFree
IsProcessorFeaturePresent
LoadLibraryA
GetThreadLocale
GetLocaleInfoA
GetVersionExA
GetSystemTimeAsFileTime
QueryPerformanceCounter
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
InterlockedCompareExchange
InterlockedExchange
SwitchToThread
SuspendThread
GetExitCodeThread
DisconnectNamedPipe
OpenThread
GetACP
WideCharToMultiByte
ResumeThread
InterlockedExchangeAdd
MultiByteToWideChar
LoadResource
InterlockedIncrement
DisableThreadLibraryCalls
FindResourceW
lstrcmpiW
InterlockedDecrement
LoadLibraryExW
LeaveCriticalSection
SizeofResource
InitializeCriticalSection
RaiseException
GetModuleHandleW
lstrlenW
DeleteCriticalSection
EnterCriticalSection
GetModuleFileNameW
OpenProcess
CreateProcessW
WaitForMultipleObjects
ResetEvent
CreateEventW
SetEvent
WaitForSingleObject
GetCurrentThreadId
LoadLibraryW
HeapAlloc
GetProcAddress
GetProcessHeap
HeapFree
GetCurrentProcess
FreeLibrary
CopyFileW
Sleep
GetCurrentProcessId
GetPrivateProfileStringW
GetTickCount
CreateFileW
GetLastError
CloseHandle
GetFileSize
ConnectNamedPipe

user32

GetWindowThreadProcessId
IsWindowEnabled
AllowSetForegroundWindow
GetActiveWindow
IsWindowVisible
SendMessageW
GetWindowRect
InvalidateRect
BringWindowToTop
GetSystemMetrics
IsHungAppWindow
GetForegroundWindow
GetDC
SetForegroundWindow
PostMessageW
GetDesktopWindow
SystemParametersInfoW
IsIconic
FindWindowExW
ShowWindow
GetWindow
SwitchToThisWindow
GetWindowLongW
EndPaint
GetPropW
CreateWindowExW
ScreenToClient
UnregisterClassW
SetWindowRgn
EnumWindows
LoadImageW
BeginPaint
RegisterClassW
DefWindowProcW
GetCursorPos
LoadCursorW
RegisterHotKey
SetWindowLongW
LoadAcceleratorsW
LoadStringW
RegisterClassExW
CallWindowProcW
UnregisterHotKey
IsWindow
UnregisterClassA
GetClassInfoExW
LoadMenuW
SetWindowPos
SendMessageTimeoutW
SetPropW
DispatchMessageW
TranslateMessage
SetTimer
GetMessageW
CharNextW
DestroyWindow
EmptyClipboard
GetClipboardData
SetClipboardData
CloseClipboard
RegisterClipboardFormatW
OpenClipboard
MessageBoxW
GetClassNameW

gdi32

SelectObject
CreateCompatibleDC
GetPixel
CreateRectRgn
CombineRgn
DeleteObject
GetObjectW
DeleteDC
BitBlt

advapi32

InitializeSecurityDescriptor
RegDeleteKeyW
RegCreateKeyExW
GetUserNameW
RegQueryValueExW
RegSetValueExW
RegEnumKeyExW
RegQueryInfoKeyW
RegOpenKeyExW
AddAce
GetTokenInformation
FreeSid
GetLengthSid
CopySid
InitializeAcl
AllocateAndInitializeSid
GetSidSubAuthority
RegEnumKeyW
OpenProcessToken
SetSecurityDescriptorDacl
RegSetKeySecurity
RegCloseKey
RegGetKeySecurity
GetSidSubAuthorityCount
GetSidIdentifierAuthority
RegDeleteValueW

shell32

SHGetSpecialFolderLocation
SHGetPathFromIDListW
SHChangeNotify
ShellExecuteW
ShellExecuteExW
SHFileOperationW

ole32

CoInitialize
CoCreateInstance
CoUninitialize
CoTaskMemRealloc
CoTaskMemFree
CoTaskMemAlloc
OleInitialize
OleUninitialize
CoCreateGuid
StringFromGUID2

oleaut32

VarUI4FromStr

msvcr80

memset
__clean_type_info_names_internal
_except_handler4_common
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_crt_debugger_hook
__CppXcptFilter
_adjust_fdiv
_amsg_exit
_initterm_e
_initterm
_encoded_null
_malloc_crt
_decode_pointer
_onexit
_lock
_encode_pointer
__dllonexit
_unlock
?terminate@@YAXXZ
__CxxFrameHandler3
_CxxThrowException
_splitpath_s
_stricmp
vswprintf_s
_wtoi
_localtime64
strstr
toupper
tolower
strchr
_time64
memcpy
wcsstr
towlower
_vsnwprintf_s
towupper
wcschr
_errno
_beginthreadex
wcsncpy_s
_recalloc
malloc
memchr
_wcsdup
free
_swprintf
isalnum
??_V@YAXPAX@Z
_invalid_parameter_noinfo
??0exception@std@@QAE@ABV01@@Z
??0exception@std@@QAE@ABQBD@Z
??0exception@std@@QAE@XZ
??1exception@std@@UAE@XZ
??2@YAPAXI@Z
?what@exception@std@@UBEPBDXZ
memcpy_s
memmove_s
??3@YAXPAX@Z
_purecall

shlwapi

SHDeleteKeyW
UrlUnescapeW

urlmon

IsValidURL
URLDownloadToFileW

wininet

InternetSetOptionA
InternetQueryOptionW
InternetOpenA
InternetCloseHandle
DeleteUrlCacheEntryW
GetUrlCacheEntryInfoW
FindNextUrlCacheEntryW
InternetCrackUrlW
InternetSetOptionW
FindFirstUrlCacheEntryW
FindCloseUrlCache

dnsapi

DnsRecordListFree
DnsQuery_W

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

Exports

Exports

CoralCreateObject

Sections

.text
Size: 647KB - Virtual size: 647KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 103KB - Virtual size: 103KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 9KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 50KB - Virtual size: 49KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

faa44c90a7e3c424c4e7e613283f53f2

Code Sign

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:edCertificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

33:65:50:08:79:ad:73:e2:30:b9:e0:1d:0d:7f:ac:91Certificate

Key Usages

11:d2:08:d5:87:8e:4d:25:73:4d:33:5f:71:c6:4a:5dCertificate

Extended Key Usages

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5eCertificate

Extended Key Usages

Key Usages

c4:6b:5d:e4:5e:72:88:91:50:c4:fd:3c:f4:74:b1:0d:a0:26:9a:8eSigner

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

msvcr80

shlwapi

urlmon

wininet

dnsapi

version

Exports

Exports

Sections

.text Size: 647KB - Virtual size: 647KB

.rdata Size: 103KB - Virtual size: 103KB

.data Size: 9KB - Virtual size: 11KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 50KB - Virtual size: 49KB

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:ed
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

33:65:50:08:79:ad:73:e2:30:b9:e0:1d:0d:7f:ac:91
Certificate

11:d2:08:d5:87:8e:4d:25:73:4d:33:5f:71:c6:4a:5d
Certificate

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

c4:6b:5d:e4:5e:72:88:91:50:c4:fd:3c:f4:74:b1:0d:a0:26:9a:8e
Signer

.text
Size: 647KB - Virtual size: 647KB

.rdata
Size: 103KB - Virtual size: 103KB

.data
Size: 9KB - Virtual size: 11KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 50KB - Virtual size: 49KB