NEAS[.]398e37dcae3ddc1d6175d8cc59d1ee20[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

NEAS.398e37dcae3ddc1d6175d8cc59d1ee20.exe
Size

2.6MB
MD5

398e37dcae3ddc1d6175d8cc59d1ee20
SHA1

bf0e30f25bbb9f97629377859b7813fb030068c4
SHA256

cf533c4fd69b58d8cc75db90214f0aa694d8788babecfb07efdead5b9be5880a
SHA512

bdf096757032e32aeeedecd8a33fc43cef4c9748f5699e41b1bff8ad05c7cd00eb65d4b5ad8a5f68fb56e59ce083f7511eb41f2172acd6732a44cb6efff1e8b0
SSDEEP

49152:iFJDxwMeJATJ4M4VRUTJFXjwJik1QqTB3W2a1Bract3:iNwZJATa0JV6BN99a3raG3

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
sample	vmprotect

Files

NEAS.398e37dcae3ddc1d6175d8cc59d1ee20.exe
.sys windows:10 windows x64

9ff4a26c313c10d66024dab7c1ed86f7

Code Sign

4e:fa:7e:7b:ba:65:ec:1a:b7:74:f2:b3:13:57:d5:99
Certificate

Issuer

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Not Before

20/05/2013, 00:00

Not After

20/05/2014, 23:59

Subject

CN=Shenzhen yundian Technology Co.\, Ltd,O=Shenzhen yundian Technology Co.\, Ltd,L=Shenzhen,ST=Guangdong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:1f:b0:a4:00:00:00:00:00:1d
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/02/2011, 19:31

Not After

22/02/2021, 19:41

Subject

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

c6:8d:a5:49:cc:cf:60:5b:2e:5b:69:08:40:49:83:17:52:0a:3b:12
Signer

Actual PE Digest

c6:8d:a5:49:cc:cf:60:5b:2e:5b:69:08:40:49:83:17:52:0a:3b:12

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

DbgPrint
ExAllocatePool
NtQuerySystemInformation
ExFreePoolWithTag
IoAllocateMdl
MmProbeAndLockPages
MmMapLockedPagesSpecifyCache
MmUnlockPages
IoFreeMdl
KeQueryActiveProcessors
KeSetSystemAffinityThread
KeRevertToUserAffinityThread
DbgPrint

hal

KeQueryPerformanceCounter

Sections

.text
Size: - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 256KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 408B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp0
Size: - Virtual size: 1.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp2
Size: 2.6MB - Virtual size: 2.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 208B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

9ff4a26c313c10d66024dab7c1ed86f7

Code Sign

4e:fa:7e:7b:ba:65:ec:1a:b7:74:f2:b3:13:57:d5:99Certificate

Extended Key Usages

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5eCertificate

Extended Key Usages

Key Usages

61:1f:b0:a4:00:00:00:00:00:1dCertificate

Key Usages

c6:8d:a5:49:cc:cf:60:5b:2e:5b:69:08:40:49:83:17:52:0a:3b:12Signer

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

hal

Sections

.text Size: - Virtual size: 9KB

.rdata Size: - Virtual size: 1KB

.data Size: - Virtual size: 256KB

.pdata Size: - Virtual size: 408B

INIT Size: - Virtual size: 1KB

.vmp0 Size: - Virtual size: 1.3MB

.vmp1 Size: 512B - Virtual size: 8B

.vmp2 Size: 2.6MB - Virtual size: 2.6MB

.reloc Size: 512B - Virtual size: 208B

4e:fa:7e:7b:ba:65:ec:1a:b7:74:f2:b3:13:57:d5:99
Certificate

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

61:1f:b0:a4:00:00:00:00:00:1d
Certificate

c6:8d:a5:49:cc:cf:60:5b:2e:5b:69:08:40:49:83:17:52:0a:3b:12
Signer

.text
Size: - Virtual size: 9KB

.rdata
Size: - Virtual size: 1KB

.data
Size: - Virtual size: 256KB

.pdata
Size: - Virtual size: 408B

INIT
Size: - Virtual size: 1KB

.vmp0
Size: - Virtual size: 1.3MB

.vmp1
Size: 512B - Virtual size: 8B

.vmp2
Size: 2.6MB - Virtual size: 2.6MB

.reloc
Size: 512B - Virtual size: 208B