NEAS[.]903dfabb1c65f27cdd18e5bd71c971e0[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

NEAS.903dfabb1c65f27cdd18e5bd71c971e0.exe
Size

665KB
MD5

903dfabb1c65f27cdd18e5bd71c971e0
SHA1

759531a90f37e4f90107f42934717f13b86db7b3
SHA256

90513e915e997670e288e629ae7280fc16cbb3c0715081b5ee2cf578479d9db1
SHA512

8f7e96b8647f8a1e774c22cf207a5af8bf5985cb812f60c22bbe1cd56cb173a0a226abcada1923f7298b6b8a78b62e3c4d680170323b1091d461b32d5d2f9efb
SSDEEP

12288:HxSBKprdMHDLdiKz/V5E6NlMArKCHzURtngKrFN7Xwpn921bGlSUHTi5QwF1QpH2:RSBKBdOfDzjVGPgKrFxwzVzEcSTrEH76

Score

1^/10

Malware Config

Signatures

Files

NEAS.903dfabb1c65f27cdd18e5bd71c971e0.exe
.dll windows:10 windows x86

ede04c9300b03910e43b53259e31bfde

Code Sign

33:00:00:00:b5:ac:7d:6d:87:6b:26:11:47:00:00:00:00:00:b5
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

07/09/2016, 17:58

Not After

07/09/2018, 17:58

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:B8EC-30A4-7144,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:40:96:a9:ee:70:56:fe:cc:07:00:01:00:00:01:40
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

18/08/2016, 20:17

Not After

02/11/2017, 20:17

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:01:4f:e7:c6:62:c9:46:f4:a9:7f:00:00:00:00:01:4f
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

17/11/2016, 21:59

Not After

17/02/2018, 21:59

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

13:8b:63:90:b6:1f:55:13:7f:ca:dd:07:c0:b1:d3:f0:87:70:92:2e:e8:a2:24:fc:57:d1:b9:b5:86:89:4c:8d
Signer

Actual PE Digest

13:8b:63:90:b6:1f:55:13:7f:ca:dd:07:c0:b1:d3:f0:87:70:92:2e:e8:a2:24:fc:57:d1:b9:b5:86:89:4c:8d

Digest Algorithm

sha256

PE Digest Matches

false

37:f7:05:dc:03:01:a3:7d:7b:d4:84:e7:36:71:80:73:6e:8c:a8:79
Signer

Actual PE Digest

37:f7:05:dc:03:01:a3:7d:7b:d4:84:e7:36:71:80:73:6e:8c:a8:79

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_DLL

Imports

msvcrt

memcpy
memcmp
_callnewh
bsearch
_vscwprintf
_purecall
_strcmpi
_wcstoi64
wcstoul
_wcsupr
qsort
wcschr
_wcsrev
iswspace
_wcslwr
_snwprintf_s
towlower
towupper
memmove
_strnicmp
memcpy_s
strcpy_s
wcsncmp
_wcsnicmp
wcsnlen
wcsstr
_vsnwprintf
_wtoi
swscanf_s
wcsrchr
_wcsicmp
_onexit
__dllonexit
_unlock
_lock
_except_handler4_common
_initterm
memmove_s
malloc
free
_amsg_exit
_XcptFilter
memset

kernel32

GetPrivateProfileSectionW
OpenEventW
SetEvent
WaitForMultipleObjects
TlsSetValue
TlsGetValue
TlsFree
TlsAlloc
DuplicateHandle
GetVolumeInformationW
GetProcAddress
FreeLibrary
LoadLibraryExW
GetFinalPathNameByHandleW
GlobalMemoryStatusEx
SetFileAttributesW
GetVolumeInformationByHandleW
CreateSemaphoreW
InitializeCriticalSectionAndSpinCount
OpenProcess
CreateThread
CopyFileExW
WaitForMultipleObjectsEx
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
GetLogicalDriveStringsW
CreateProcessW
GetExitCodeProcess
CreateSemaphoreExW
MultiByteToWideChar
DosDateTimeToFileTime
LocalFileTimeToFileTime
SetFileTime
GetVolumePathNameW
GetVolumeNameForVolumeMountPointW
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetTickCount
GetLastError
GetHandleInformation
SetLastError
SetFilePointerEx
CloseHandle
SetEndOfFile
CompareStringW
HeapFree
GetProcessHeap
DeleteFileW
CreateFileW
GetFileInformationByHandle
LocalAlloc
HeapAlloc
GetSystemDirectoryW
LocalFree
GetSystemTimeAsFileTime
GetCurrentThreadId
GetDriveTypeW
RemoveDirectoryW
GetCurrentProcessId
QueryPerformanceCounter
Sleep
DisableThreadLibraryCalls
LoadLibraryW
DeviceIoControl
WriteFile
GetFileAttributesW
FindFirstFileW
FindNextFileW
FindClose
GetTempPathW
GetTempFileNameW
GetFileSize
SetFilePointer
ReadFile
DeleteCriticalSection
GetSystemInfo
InitializeCriticalSection
SetThreadIdealProcessor
GetVolumePathNamesForVolumeNameW
GetFileSizeEx
GetFullPathNameW
GetEnvironmentVariableW
GetOverlappedResult
EnterCriticalSection
LeaveCriticalSection
FlushFileBuffers
CreateDirectoryW
CreateEventW
LockFileEx
UnlockFileEx
HeapReAlloc
GetModuleHandleW
GetCurrentDirectoryW
ExpandEnvironmentStringsW
CreateMutexW
GetModuleHandleExW
GetModuleFileNameW
FormatMessageW
WaitForSingleObject
ReleaseMutex
WideCharToMultiByte
ReleaseSemaphore
GetCurrentThread

bcrypt

BCryptOpenAlgorithmProvider
BCryptGetProperty
BCryptCreateHash
BCryptHashData
BCryptFinishHash
BCryptDestroyHash
BCryptCloseAlgorithmProvider

fltlib

FilterLoad
FilterAttach

cabinet

ord23
ord22
ord20

ntdll

RtlGetVersion
DbgPrintEx
NtYieldExecution
RtlRaiseStatus
RtlReAllocateHeap
RtlDeleteCriticalSection
RtlInitializeCriticalSection
RtlDosPathNameToNtPathName_U_WithStatus
RtlDeleteResource
RtlReleaseResource
RtlAcquireResourceShared
RtlAcquireResourceExclusive
RtlInitializeResource
NtSetEaFile
RtlInitUnicodeString
NtQuerySecurityObject
RtlImpersonateSelf
NtQueryVolumeInformationFile
NtCreateFile
NtQueryEaFile
NtQueryInformationProcess
NtQueryInformationFile
NtSetSecurityObject
RtlFindAceByType
RtlSetControlSecurityDescriptor
RtlGetLastNtStatus
NtSetInformationFile
RtlFreeHeap
NtClose
NtQueryDirectoryFile
RtlAllocateHeap
NtOpenFile
RtlDosPathNameToNtPathName_U
RtlAdjustPrivilege
RtlNtStatusToDosError

advapi32

GetAclInformation
GetSecurityDescriptorLength
GetSecurityDescriptorControl
GetSecurityDescriptorSacl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
AllocateAndInitializeSid
RegUnLoadKeyW
RegFlushKey
RegSetValueExW
RegDeleteValueW
RegCreateKeyExW
RegLoadKeyW
RegCloseKey
RegOpenKeyExW
RegDeleteKeyExW
OpenThreadToken
OpenProcessToken
AdjustTokenPrivileges
WriteEncryptedFileRaw
GetTokenInformation
SetThreadToken
GetLengthSid
InitializeAcl
AddAccessAllowedAce
EqualSid
SetSecurityDescriptorDacl
RegQueryValueExW
RegEnumKeyExW
RegEnumValueW
RegQueryInfoKeyW
CloseEncryptedFileRaw
ReadEncryptedFileRaw
OpenEncryptedFileRawW
FreeSid
GetSecurityInfo
RevertToSelf
AddAccessAllowedAceEx
InitializeSecurityDescriptor

version

VerQueryValueW
GetFileVersionInfoExW
GetFileVersionInfoSizeExW

user32

CharUpperW

rpcrt4

RpcBindingFree
RpcBindingSetAuthInfoW
RpcBindingFromStringBindingW
RpcStringBindingComposeW
UuidCreate
I_RpcMapWin32Status
UuidToStringW
RpcStringFreeW
UuidFromStringW
NdrClientCall2

Exports

Exports

DllCanUnloadNow
DllMain
WIMAddImagePath
WIMAddImagePaths
WIMAddWimbootEntry
WIMApplyImage
WIMCaptureImage
WIMCloseHandle
WIMCommitImageHandle
WIMCopyFile
WIMCreateFile
WIMCreateImageFile
WIMCreateWofCompressedFile
WIMDeleteImage
WIMDeleteImageMounts
WIMEnumImageFiles
WIMExportImage
WIMExtractImageDirectory
WIMExtractImagePath
WIMFindFirstImageFile
WIMFindNextImageFile
WIMGetAttributes
WIMGetImageCount
WIMGetImageInformation
WIMGetMessageCallbackCount
WIMGetMountedImageHandle
WIMGetMountedImageInfo
WIMGetMountedImageInfoFromHandle
WIMGetMountedImages
WIMGetWIMBootEntries
WIMGetWIMBootWIMPath
WIMInitFileIOCallbacks
WIMInitializeWofDriver
WIMIsCurrentSystemWimboot
WIMIsReferenceWim
WIMLoadImage
WIMMountImage
WIMMountImageHandle
WIMProcessCustomImage
WIMReadImageFile
WIMRedirectFolderBeforeApply
WIMRegisterLogFile
WIMRegisterMessageCallback
WIMRemountImage
WIMSetBootImage
WIMSetFileIOCallbackTemporaryPath
WIMSetImageInformation
WIMSetImageUserSpecifiedCreationTime
WIMSetReferenceFile
WIMSetTemporaryPath
WIMSetWimGuid
WIMSingleInstanceFile
WIMSplitFile
WIMUnmountImage
WIMUnmountImageHandle
WIMUnregisterLogFile
WIMUnregisterMessageCallback
WIMUpdateWIMBootEntry

Sections

.text
Size: 530KB - Virtual size: 530KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ede04c9300b03910e43b53259e31bfde

Code Sign

33:00:00:00:b5:ac:7d:6d:87:6b:26:11:47:00:00:00:00:00:b5Certificate

Extended Key Usages

33:00:00:01:40:96:a9:ee:70:56:fe:cc:07:00:01:00:00:01:40Certificate

Extended Key Usages

61:33:26:1a:00:00:00:00:00:31Certificate

Key Usages

61:16:68:34:00:00:00:00:00:1cCertificate

Extended Key Usages

Key Usages

33:00:00:01:4f:e7:c6:62:c9:46:f4:a9:7f:00:00:00:00:01:4fCertificate

Extended Key Usages

61:0c:52:4c:00:00:00:00:00:03Certificate

Key Usages

13:8b:63:90:b6:1f:55:13:7f:ca:dd:07:c0:b1:d3:f0:87:70:92:2e:e8:a2:24:fc:57:d1:b9:b5:86:89:4c:8dSigner

37:f7:05:dc:03:01:a3:7d:7b:d4:84:e7:36:71:80:73:6e:8c:a8:79Signer

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

kernel32

bcrypt

fltlib

cabinet

ntdll

advapi32

version

user32

rpcrt4

Exports

Exports

Sections

.text Size: 530KB - Virtual size: 530KB

.data Size: 1024B - Virtual size: 3KB

.idata Size: 7KB - Virtual size: 6KB

.rsrc Size: 15KB - Virtual size: 14KB

.reloc Size: 19KB - Virtual size: 19KB

33:00:00:00:b5:ac:7d:6d:87:6b:26:11:47:00:00:00:00:00:b5
Certificate

33:00:00:01:40:96:a9:ee:70:56:fe:cc:07:00:01:00:00:01:40
Certificate

61:33:26:1a:00:00:00:00:00:31
Certificate

61:16:68:34:00:00:00:00:00:1c
Certificate

33:00:00:01:4f:e7:c6:62:c9:46:f4:a9:7f:00:00:00:00:01:4f
Certificate

61:0c:52:4c:00:00:00:00:00:03
Certificate

13:8b:63:90:b6:1f:55:13:7f:ca:dd:07:c0:b1:d3:f0:87:70:92:2e:e8:a2:24:fc:57:d1:b9:b5:86:89:4c:8d
Signer

37:f7:05:dc:03:01:a3:7d:7b:d4:84:e7:36:71:80:73:6e:8c:a8:79
Signer

.text
Size: 530KB - Virtual size: 530KB

.data
Size: 1024B - Virtual size: 3KB

.idata
Size: 7KB - Virtual size: 6KB

.rsrc
Size: 15KB - Virtual size: 14KB

.reloc
Size: 19KB - Virtual size: 19KB