NEAS[.]d8a5cc5b7f0585de8ebbb0cff0b51690[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

NEAS.d8a5cc5b7f0585de8ebbb0cff0b51690.exe
Size

2.3MB
MD5

d8a5cc5b7f0585de8ebbb0cff0b51690
SHA1

9e098d8a4ce083ebae0f11d531fd17faee3aa350
SHA256

cb73490aa7a3e470d682c7ae4c439baf27117d5249f72f53d79185eb567d1981
SHA512

a02534129d878c25d81dbc107f2a1b03ba3295be18447437482f4a267a02271905a91b455bc28782b3d22a2bc9e34d3c61c33f200205d2934fc02db5cb32dc9a
SSDEEP

49152:pDubQgbanxrbVWPZGdxKx6+awMY68WM3zGoE5bx9o:IQ3xvVWBGdz+afYR

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
NEAS.d8a5cc5b7f0585de8ebbb0cff0b51690.exe

Files

NEAS.d8a5cc5b7f0585de8ebbb0cff0b51690.exe
.dll windows:6 windows x86

d74a625802e141f3356498bca1f362a9

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

yaml

yaml_event_delete
yaml_parser_initialize
yaml_parser_delete
yaml_parser_set_input_string
yaml_parser_set_encoding
yaml_parser_parse

libcurl

curl_multi_add_handle
curl_easy_getinfo
curl_easy_cleanup
curl_easy_setopt
curl_easy_init
curl_multi_remove_handle
curl_multi_wait
curl_multi_perform
curl_easy_pause
curl_slist_free_all
curl_slist_append
curl_global_cleanup
curl_global_init
curl_multi_info_read
curl_multi_timeout
curl_multi_setopt
curl_multi_init
curl_multi_cleanup

libssl-1_1

SSL_CTX_use_PrivateKey
SSL_CTX_use_certificate
SSL_CTX_get_cert_store

libcrypto-1_1

BN_bn2hex
d2i_PublicKey
EVP_sha256
BIO_s_mem
BIO_free_all
d2i_X509
PEM_read_bio_X509
SHA1
SHA256_Init
SHA256_Update
X509_NAME_oneline
BN_free
BIO_puts
SHA256_Final
SHA256
SHA256_Transform
SHA512
CRYPTO_free
BIO_new
ASN1_INTEGER_to_BN
ERR_error_string_n
EVP_aes_128_ctr
EVP_CIPHER_CTX_free
ERR_peek_error
EVP_aes_256_ecb
EVP_DigestVerifyFinal
EVP_DigestVerifyInit
EVP_CIPHER_CTX_block_size
EVP_CIPHER_CTX_key_length
X509_get_subject_name
X509_get_issuer_name
X509_get_serialNumber
ERR_get_error
EVP_CIPHER_CTX_new
EVP_MD_CTX_new
EVP_MD_CTX_free
X509_STORE_add_cert
EVP_DecryptFinal
EVP_DecryptUpdate
EVP_DecryptInit
X509_free
EVP_PKEY_free
EVP_DigestUpdate

libzstd

ZSTD_decompress
ZSTD_versionNumber
ZSTD_getErrorName
ZSTD_isError
ZSTD_createDCtx
ZSTD_freeDCtx
ZSTD_decompressDCtx

advapi32

ConvertSecurityDescriptorToStringSecurityDescriptorA
EqualSid
GetAce
GetNamedSecurityInfoW
OpenProcessToken
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
GetFileSecurityW
GetSidSubAuthority
GetSidSubAuthorityCount
GetTokenInformation
ConvertSidToStringSidA
CreateWellKnownSid

crypt32

CertEnumCertificatesInStore
CertFreeCertificateContext
CertOpenSystemStoreW
CertCloseStore

dnsapi

DnsFree
DnsQuery_W

kernel32

FormatMessageW
CreateFileMappingW
CreateEventW
WaitForSingleObjectEx
DeviceIoControl
SetFileAttributesW
SetEndOfFile
RemoveDirectoryW
GetTempFileNameW
CreateFileW
GetCurrentDirectoryW
GetFileAttributesExW
FindNextFileW
FindFirstFileExW
MultiByteToWideChar
WideCharToMultiByte
SystemTimeToFileTime
VerifyVersionInfoW
LoadLibraryW
LoadLibraryA
GetModuleFileNameA
FreeLibrary
GetLocalTime
GetSystemTime
GetSystemInfo
GlobalMemoryStatusEx
GetCurrentProcess
DeleteCriticalSection
InitializeCriticalSection
QueryPerformanceFrequency
QueryPerformanceCounter
GetFileAttributesW
GetFileAttributesA
GetDiskFreeSpaceA
DeleteFileW
DeleteFileA
CreateDirectoryW
CreateDirectoryA
GetCurrentDirectoryA
GetTickCount
VerSetConditionMask
OutputDebugStringA
GetTempPathW
SetFilePointerEx
SetFilePointer
GetFullPathNameA
FindClose
UnmapViewOfFile
MapViewOfFile
GetCurrentThreadId
GetCurrentThread
Sleep
LeaveCriticalSection
EnterCriticalSection
GetLastError
RaiseException
WriteFile
UnlockFileEx
ReadFile
LockFileEx
GetFileSize
FlushFileBuffers
CreateFileA
GetSystemTimeAsFileTime
GetProcessHeap
UnlockFile
HeapDestroy
HeapCompact
HeapAlloc
HeapReAlloc
FlushViewOfFile
OutputDebugStringW
GetTempPathA
HeapSize
HeapValidate
CreateMutexW
LockFile
GetDiskFreeSpaceW
GetFullPathNameW
HeapFree
HeapCreate
AreFileApisANSI
Process32First
TryEnterCriticalSection
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
InitializeSListHead
IsDebuggerPresent
DisableThreadLibraryCalls
CloseHandle
WaitForSingleObject
GetCurrentProcessId
TerminateProcess
OpenProcess
ReadProcessMemory
GetModuleHandleW
GetProcAddress
GlobalFree
LocalAlloc
LocalFree
FormatMessageA
MoveFileExW
CreateToolhelp32Snapshot
Process32Next

msvcp140

??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z
??0_Lockit@std@@QAE@H@Z
??1_Lockit@std@@QAE@XZ
_Strcoll
_Strxfrm
??0_Locinfo@std@@QAE@PBD@Z
??1_Locinfo@std@@QAE@XZ
?_Getcoll@_Locinfo@std@@QBE?AU_Collvec@@XZ
??Bid@locale@std@@QAEIXZ
??0facet@locale@std@@IAE@I@Z
??1facet@locale@std@@MAE@XZ
?_Init@locale@std@@CAPAV_Locimp@12@_N@Z
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ
?tolower@?$ctype@D@std@@QBEDD@Z
?tolower@?$ctype@D@std@@QBEPBDPADPBD@Z
?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?_Decref@facet@locale@std@@UAEPAV_Facet_base@3@XZ
?_Incref@facet@locale@std@@UAEXXZ
?id@?$ctype@D@std@@2V0locale@2@A
?id@?$collate@D@std@@2V0locale@2@A
??4?$_Yarn@D@std@@QAEAAV01@PBD@Z
?_New_Locimp@_Locimp@locale@std@@CAPAV123@ABV123@@Z
?_Locimp_Addfac@_Locimp@locale@std@@CAXPAV123@PAVfacet@23@I@Z
??0codecvt_base@std@@QAE@I@Z
??1codecvt_base@std@@UAE@XZ
?in@?$codecvt@_WDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPA_W3AAPA_W@Z
?out@?$codecvt@_WDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PB_W1AAPB_WPAD3AAPAD@Z
??0?$codecvt@_WDU_Mbstatet@@@std@@QAE@I@Z
??0?$codecvt@_WDU_Mbstatet@@@std@@QAE@ABV_Locinfo@1@I@Z
??1?$codecvt@_WDU_Mbstatet@@@std@@MAE@XZ
??0?$codecvt@GDU_Mbstatet@@@std@@QAE@I@Z
??1?$codecvt@GDU_Mbstatet@@@std@@MAE@XZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J@Z
?do_always_noconv@?$codecvt@_WDU_Mbstatet@@@std@@MBE_NXZ
?do_encoding@?$codecvt@_WDU_Mbstatet@@@std@@MBEHXZ
?do_encoding@codecvt_base@std@@MBEHXZ
?do_in@?$codecvt@_WDU_Mbstatet@@@std@@MBEHAAU_Mbstatet@@PBD1AAPBDPA_W3AAPA_W@Z
?do_length@?$codecvt@_WDU_Mbstatet@@@std@@MBEHAAU_Mbstatet@@PBD1I@Z
?do_max_length@?$codecvt@_WDU_Mbstatet@@@std@@MBEHXZ
?do_max_length@codecvt_base@std@@MBEHXZ
?do_out@?$codecvt@_WDU_Mbstatet@@@std@@MBEHAAU_Mbstatet@@PB_W1AAPB_WPAD3AAPAD@Z
?do_unshift@?$codecvt@_WDU_Mbstatet@@@std@@MBEHAAU_Mbstatet@@PAD1AAPAD@Z
?id@?$codecvt@_WDU_Mbstatet@@@std@@2V0locale@2@A
?id@?$codecvt@GDU_Mbstatet@@@std@@2V0locale@2@A
?__ExceptionPtrCopyException@@YAXPAXPBX1@Z
_Thrd_hardware_concurrency
?_LogScheduleTask@_TaskEventLogger@details@Concurrency@@QAEX_N@Z
?__ExceptionPtrCreate@@YAXPAX@Z
?__ExceptionPtrDestroy@@YAXPAX@Z
?__ExceptionPtrCopy@@YAXPAXPBX@Z
?__ExceptionPtrAssign@@YAXPAXPBX@Z
?__ExceptionPtrToBool@@YA_NPBX@Z
?__ExceptionPtrCurrentException@@YAXPAX@Z
?__ExceptionPtrRethrow@@YAXPBX@Z
?_Xbad_alloc@std@@YAXXZ
?_Xlength_error@std@@YAXPBD@Z
?_Xout_of_range@std@@YAXPBD@Z
?_Execute_once@std@@YAHAAUonce_flag@1@P6GHPAX1PAPAX@Z1@Z
?_Syserror_map@std@@YAPBDH@Z
?_Xbad_function_call@std@@YAXXZ
_Thrd_start
_Xtime_get_ticks
_Query_perf_counter
_Query_perf_frequency
_Thrd_join
_Thrd_sleep
_Thrd_id
_Mtx_init
_Mtx_destroy
_Mtx_init_in_situ
_Mtx_destroy_in_situ
_Mtx_current_owns
_Mtx_lock
_Mtx_unlock
_Cnd_init
_Cnd_destroy
_Cnd_init_in_situ
_Cnd_destroy_in_situ
_Cnd_wait
_Cnd_timedwait
_Cnd_broadcast
_Cnd_signal
_Cnd_register_at_thread_exit
_Cnd_unregister_at_thread_exit
_Cnd_do_broadcast_at_thread_exit
?_Throw_C_error@std@@YAXH@Z
?_Throw_Cpp_error@std@@YAXH@Z
?_XGetLastError@std@@YAXXZ
?_Schedule_chore@details@Concurrency@@YAHPAU_Threadpool_chore@12@@Z
?_Release_chore@details@Concurrency@@YAXPAU_Threadpool_chore@12@@Z
?_ReportUnobservedException@details@Concurrency@@YAXXZ
?GetCurrentThreadId@platform@details@Concurrency@@YAJXZ
?_CallInContext@_ContextCallback@details@Concurrency@@QBEXV?$function@$$A6AXXZ@std@@_N@Z
?_Reset@_ContextCallback@details@Concurrency@@AAEXXZ
?_Capture@_ContextCallback@details@Concurrency@@AAEXXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AAEXXZ
??0task_continuation_context@Concurrency@@AAE@XZ
?_LogCancelTask@_TaskEventLogger@details@Concurrency@@QAEXXZ
?_LogTaskCompleted@_TaskEventLogger@details@Concurrency@@QAEXXZ
?_LogTaskExecutionCompleted@_TaskEventLogger@details@Concurrency@@QAEXXZ
?_LogWorkItemStarted@_TaskEventLogger@details@Concurrency@@QAEXXZ
?_LogWorkItemCompleted@_TaskEventLogger@details@Concurrency@@QAEXXZ
?_Throw_future_error@std@@YAXABVerror_code@1@@Z
?_Rethrow_future_exception@std@@YAXVexception_ptr@1@@Z
?_Random_device@std@@YAIXZ
?uncaught_exception@std@@YA_NXZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ

vcruntime140

memchr
__CxxFrameHandler3
memcpy
_CxxThrowException
__std_exception_destroy
__std_exception_copy
__std_terminate
_purecall
memmove
memset
strrchr
strstr
strchr
__std_type_info_destroy_list
__std_type_info_compare
_except_handler4_common

api-ms-win-crt-runtime-l1-1-0

_errno
_initterm
_initterm_e
_crt_atexit
_invalid_parameter_noinfo
_cexit
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv
_seh_filter_dll
_execute_onexit_table
_endthreadex
_beginthreadex
terminate
abort
_invalid_parameter_noinfo_noreturn

api-ms-win-crt-heap-l1-1-0

realloc
_msize
malloc
free

api-ms-win-crt-convert-l1-1-0

strtod
strtoll
strtoul
strtoull

api-ms-win-crt-stdio-l1-1-0

_ftelli64
__stdio_common_vswprintf
__acrt_iob_func
__stdio_common_vsnprintf_s
__stdio_common_vsprintf
__stdio_common_vsprintf_s
fputs
fflush
fclose
fseek
fopen

api-ms-win-crt-string-l1-1-0

isalnum
isspace
toupper
_stricmp
tolower
_strnicmp
strnlen
_strdup
strncpy_s
strncmp
strspn
isdigit
strcpy_s
strcspn

api-ms-win-crt-time-l1-1-0

_time64
strftime
_localtime64_s
_gmtime64_s

api-ms-win-crt-filesystem-l1-1-0

remove

api-ms-win-crt-math-l1-1-0

log2
_libm_sse2_log_precise
modf
_except1
__libm_sse2_pow

api-ms-win-crt-locale-l1-1-0

setlocale

ole32

CoCreateInstance
CoInitializeEx
CoUninitialize

psapi

GetProcessMemoryInfo

rpcrt4

UuidCreate

ws2_32

WSAAddressToStringA
getaddrinfo
freeaddrinfo
setsockopt
closesocket
connect
ioctlsocket
WSAStringToAddressA
socket

winhttp

WinHttpGetIEProxyConfigForCurrentUser

Exports

Exports

load_lol_patch

Sections

.text
Size: 1.9MB - Virtual size: 1.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 248KB - Virtual size: 248KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 39KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

_RDATA
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 548B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 69KB - Virtual size: 68KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d74a625802e141f3356498bca1f362a9

Headers

DLL Characteristics

File Characteristics

Imports

yaml

libcurl

libssl-1_1

libcrypto-1_1

libzstd

advapi32

crypt32

dnsapi

kernel32

msvcp140

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

ole32

psapi

rpcrt4

ws2_32

winhttp

Exports

Exports

Sections

.text Size: 1.9MB - Virtual size: 1.9MB

.rdata Size: 248KB - Virtual size: 248KB

.data Size: 39KB - Virtual size: 45KB

_RDATA Size: 1KB - Virtual size: 1KB

.rsrc Size: 1024B - Virtual size: 548B

.reloc Size: 69KB - Virtual size: 68KB

.text
Size: 1.9MB - Virtual size: 1.9MB

.rdata
Size: 248KB - Virtual size: 248KB

.data
Size: 39KB - Virtual size: 45KB

_RDATA
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 1024B - Virtual size: 548B

.reloc
Size: 69KB - Virtual size: 68KB