NEAS[.]fa2f8ea0dface3b3e935b106edef4150[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

NEAS.fa2f8ea0dface3b3e935b106edef4150.exe
Size

3.5MB
MD5

fa2f8ea0dface3b3e935b106edef4150
SHA1

1944790945d8b7fee88d474404eb90b89d9384d6
SHA256

7bfffae521bf579cd33463deb7e19ce83c69a5ab40bb71af96c3fe141c7b16fd
SHA512

d0b3b0df5a5190444290b4e538546d01e7384d564bdd1aa86786f4f6b5ef759277627cb7ead3b79a9fd36b2c3c963aab7eb5b0c19378358fd09bb195dcd76827
SSDEEP

49152:mMXEiGdi/R+kKp+6FlLlCYuJPA3LBuq8NBU8AxdwDHVfv9ytA8Wpl+SJ8lQqhq:aBp+gtlCRiSJ8

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
NEAS.fa2f8ea0dface3b3e935b106edef4150.exe

Files

NEAS.fa2f8ea0dface3b3e935b106edef4150.exe
.dll regsvr32 windows:6 windows x64

0d0d0885931a5ec50e7f2fb78df8127f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

msvcrt

swscanf_s
_vsnprintf
wcstok
_stricmp
srand
wcschr
_ultow_s
wcstoul
qsort
??_U@YAPEAX_K@Z
_ui64tow_s
tolower
wcsstr
_itow_s
memcpy_s
wcstod
wcsncmp
_wfopen
memmove
strchr
_purecall
fprintf
??2@YAPEAX_K@Z
??3@YAXPEAX@Z
_errno
iswdigit
_strnicmp
rand
_wtoi
_wtol
_wcsnicmp
memmove_s
bsearch
fclose
strncmp
realloc
_memicmp
_vsnwprintf
_strdup
memchr
swprintf_s
iswalnum
??1type_info@@UEAA@XZ
__CxxFrameHandler3
??_V@YAXPEAX@Z
wcstol
memcmp
memcpy
_get_errno
_wtoi64
memset
strcmp
_onexit
__dllonexit
_unlock
_lock
__C_specific_handler
_initterm
malloc
free
_amsg_exit
_strcmpi
_set_errno
iswspace
_wcsicmp
_XcptFilter
wcstok_s
wcscmp

ntdll

NtQuerySystemInformation
RtlSubscribeWnfStateChangeNotification
RtlUnsubscribeWnfStateChangeNotification
NtQueryWnfStateData
NtSetInformationThread
vDbgPrintEx
AlpcInitializeMessageAttribute
ZwAlpcQueryInformation
TpReleaseAlpcCompletion
ZwClose
ZwAlpcDisconnectPort
TpWaitForAlpcCompletion
RtlWakeAddressAll
AlpcGetMessageAttribute
RtlInitUnicodeString
TpAllocAlpcCompletion
RtlWaitOnAddress
ZwAlpcConnectPort
ZwAlpcSendWaitReceivePort
ZwAlpcCancelMessage
RtlAllocateHeap
RtlFreeHeap
WinSqmIncrementDWORD
WinSqmAddToStream
WinSqmSetString
VerSetConditionMask
RtlPublishWnfStateData
WinSqmSetDWORD
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
RtlNtStatusToDosError
RtlGetNtProductType

api-ms-win-core-debug-l1-1-1

DebugBreak
IsDebuggerPresent
OutputDebugStringW

api-ms-win-core-libraryloader-l1-2-0

GetProcAddress
FreeLibraryAndExitThread
DisableThreadLibraryCalls
LoadResource
FindResourceExW
GetModuleHandleW
LockResource
FreeLibrary
SizeofResource
LoadLibraryExW
GetModuleFileNameW

api-ms-win-core-synch-l1-2-0

ReleaseSRWLockShared
AcquireSRWLockShared
InitializeSRWLock
Sleep
InitializeCriticalSectionAndSpinCount
InitializeCriticalSection
CreateMutexW
DeleteCriticalSection
SetEvent
OpenEventW
ReleaseSRWLockExclusive
LeaveCriticalSection
ResetEvent
EnterCriticalSection
WaitForSingleObject
AcquireSRWLockExclusive
CreateEventW
SleepEx
CreateEventA
ReleaseMutex
WaitForMultipleObjectsEx

api-ms-win-core-profile-l1-1-0

QueryPerformanceFrequency
QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-2

GetCurrentProcessId
CreateProcessA
GetCurrentThreadId
SetThreadPriority
SetThreadInformation
OpenThreadToken
GetCurrentProcess
CreateProcessW
TerminateProcess
GetExitCodeProcess
OpenProcessToken
GetCurrentThread
GetThreadId
CreateThread
ResumeThread
GetExitCodeThread
CreateProcessAsUserW
SetThreadToken

api-ms-win-core-sysinfo-l1-2-1

GetSystemDirectoryA
GetSystemInfo
GetSystemWindowsDirectoryA
GetComputerNameExW
GetTickCount
GetSystemTimeAsFileTime
GetSystemFirmwareTable
GetTickCount64
GetNativeSystemInfo
GetProductInfo
GetSystemTime
GetLocalTime
GetSystemWindowsDirectoryW
GetVersionExW
GetSystemDirectoryW

api-ms-win-core-errorhandling-l1-1-1

SetUnhandledExceptionFilter
GetLastError
SetLastError
RaiseException
UnhandledExceptionFilter

api-ms-win-security-base-l1-2-0

ImpersonateLoggedOnUser
RevertToSelf
EqualSid
IsValidSid
FreeSid
MakeAbsoluteSD
ImpersonateSelf
AllocateAndInitializeSid
CreateRestrictedToken
GetLengthSid
CopySid
CreateWellKnownSid
DuplicateTokenEx
AdjustTokenPrivileges
InitializeAcl
AddAccessAllowedAce
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
GetTokenInformation
CheckTokenMembership

api-ms-win-security-sddl-l1-1-0

ConvertStringSidToSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW

api-ms-win-core-registry-l1-1-0

RegDeleteValueW
RegSetValueExW
RegOpenCurrentUser
RegCreateKeyExW
RegOpenKeyExW
RegQueryValueExW
RegQueryInfoKeyW
RegDeleteKeyExW
RegOpenKeyExA
RegCloseKey
RegQueryValueExA
RegEnumKeyExW
RegEnumValueW

api-ms-win-core-processenvironment-l1-2-0

ExpandEnvironmentStringsW
GetEnvironmentVariableW
GetEnvironmentVariableA
SetEnvironmentVariableW
ExpandEnvironmentStringsA

api-ms-win-core-file-l2-1-1

MoveFileExW

api-ms-win-eventing-provider-l1-1-0

EventUnregister
EventRegister
EventWrite
EventWriteTransfer

api-ms-win-service-core-l1-1-1

RegisterServiceCtrlHandlerExW
SetServiceStatus

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-core-com-l1-1-1

CoSwitchCallContext
CoDisconnectObject
CoDisableCallCancellation
CoEnableCallCancellation
CoCancelCall
CoTaskMemFree
CoTaskMemAlloc
IIDFromString
CoSetProxyBlanket
PropVariantClear
StringFromCLSID
CoImpersonateClient
CoInitializeSecurity
CoTaskMemRealloc
CoRevertToSelf
CoFreeUnusedLibrariesEx
CoRegisterClassObject
StringFromGUID2
CoRevokeClassObject
CoCreateGuid
CoCreateInstance
CLSIDFromString
CoQueryProxyBlanket
CoGetApartmentType
CoDisconnectContext
CoUninitialize
CoInitializeEx

api-ms-win-service-management-l1-1-0

OpenSCManagerW
CreateServiceW
DeleteService
OpenServiceW
CloseServiceHandle

api-ms-win-service-winsvc-l1-2-0

QueryServiceStatus
ControlService

oleaut32

SysStringByteLen
VariantClear
VariantChangeType
VariantCopy
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayCreate
SafeArrayDestroy
SafeArrayLock
SafeArrayUnlock
SafeArrayUnaccessData
VariantInit
SysAllocString
SysAllocStringByteLen
SafeArrayAccessData
SafeArrayGetVartype
SysAllocStringLen
SysStringLen
VariantCopyInd
VariantChangeTypeEx
SysFreeString
VarUI4FromStr
VariantTimeToSystemTime
SystemTimeToVariantTime

api-ms-win-core-string-l1-1-0

CompareStringW
CompareStringOrdinal
WideCharToMultiByte
MultiByteToWideChar

api-ms-win-core-localization-l1-2-1

GetSystemDefaultLCID
FormatMessageW
LCMapStringW
GetLocaleInfoW

api-ms-win-core-file-l1-2-1

FlushFileBuffers
DeleteFileW
WriteFile
GetFileAttributesW
CompareFileTime
SetFilePointerEx
LocalFileTimeToFileTime
RemoveDirectoryW
GetFileSizeEx
GetLogicalDriveStringsW
SetFileTime
GetFileTime
DeleteFileA
FindClose
CreateDirectoryA
FileTimeToLocalFileTime
CreateDirectoryW
GetVolumeNameForVolumeMountPointW
CreateFileA
FindNextFileW
SetFileAttributesW
GetFileType
SetFilePointer
SetEndOfFile
GetVolumePathNameW
FindFirstFileW
GetDriveTypeW
GetFileAttributesExW
GetFileAttributesA
GetFullPathNameA
GetTempFileNameW
CreateFileW
GetFileSize
ReadFile

rpcrt4

I_RpcBindingInqTransportType
NdrClientCall3
RpcSsDestroyClientContext
RpcBindingFree
I_RpcBindingInqLocalClientPID
RpcStringBindingComposeW
UuidCreate
RpcStringFreeA
UuidToStringA
RpcBindingCreateW
I_RpcExceptionFilter
I_RpcMapWin32Status
UuidToStringW
RpcStringFreeW
UuidFromStringW
RpcBindingFromStringBindingW
RpcBindingBind

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
GetTimeZoneInformation

iphlpapi

GetAdaptersInfo

api-ms-win-core-io-l1-1-1

DeviceIoControl

api-ms-win-power-base-l1-1-0

PowerDeterminePlatformRoleEx
CallNtPowerInformation

winhttp

WinHttpConnect
WinHttpCrackUrl
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpAddRequestHeaders
WinHttpOpenRequest
WinHttpSetCredentials
WinHttpSetOption
WinHttpGetDefaultProxyConfiguration
WinHttpQueryOption
WinHttpSetTimeouts
WinHttpReadData
WinHttpCloseHandle
WinHttpGetProxyForUrl
WinHttpOpen
WinHttpGetIEProxyConfigForCurrentUser
WinHttpQueryHeaders
WinHttpQueryAuthSchemes

api-ms-win-core-realtime-l1-1-0

QueryUnbiasedInterruptTime

api-ms-win-devices-config-l1-1-1

CM_Get_DevNode_Status
CM_Locate_DevNodeW

crypt32

CertFindCertificateInStore
CertFreeCertificateContext
CertFreeCertificateChain
CertGetEnhancedKeyUsage
CertVerifyCertificateChainPolicy
CertCloseStore
CertGetCertificateChain
CryptUnprotectData
CertGetCertificateContextProperty
CertControlStore
CryptHashPublicKeyInfo
CryptProtectData
CertOpenStore

api-ms-win-service-management-l2-1-0

ChangeServiceConfigW
QueryServiceConfig2W
QueryServiceConfigW
SetServiceObjectSecurity
ChangeServiceConfig2W
QueryServiceStatusEx

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateStringReference
WindowsDeleteString
WindowsIsStringEmpty
WindowsDuplicateString
WindowsGetStringRawBuffer
WindowsStringHasEmbeddedNull
WindowsCreateString

api-ms-win-core-winrt-l1-1-0

RoActivateInstance
RoGetActivationFactory

userenv

UnregisterGPNotification
CreateEnvironmentBlock
DestroyEnvironmentBlock
RegisterGPNotification

api-ms-win-core-datetime-l1-1-1

GetDateFormatW
GetDateFormatEx
GetTimeFormatW

api-ms-win-core-winrt-error-l1-1-1

RoOriginateError
RoTransformError

api-ms-win-core-memory-l1-1-2

CreateFileMappingW
MapViewOfFileEx
UnmapViewOfFile
VirtualAlloc
VirtualFree
FlushViewOfFile
MapViewOfFile

kernel32

LocalAlloc
PackageFamilyNameFromFullName
OOBEComplete
CopyFileW
FindResourceW
EnumResourceLanguagesW
EnumResourceNamesW
CompareStringA
GlobalAlloc
GlobalFree
GetBinaryTypeA
CreateFileMappingA
LocalFree
GetSystemDefaultUILanguage
DosDateTimeToFileTime
CopyFileA
LoadLibraryA
WaitForMultipleObjects
EnumUILanguagesW
GetPrivateProfileStringW
GetPrivateProfileSectionW
DelayLoadFailureHook
ResolveDelayLoadedAPI
LoadLibraryW
GetUserDefaultUILanguage
CreateTimerQueueTimer
DeleteTimerQueueTimer
lstrcmpiW
PackageIdFromFullName
VerifyVersionInfoW
GetComputerNameW
CreateTimerQueue
GetSystemPowerStatus
DeleteTimerQueueEx

user32

ExitWindowsEx
GetMessageW
TranslateMessage
PostThreadMessageW
DispatchMessageW
GetSystemMetrics

shell32

SHGetFolderPathW

esent

JetBeginSessionA
JetOpenTableA
JetCloseDatabase
JetOpenDatabaseA
JetDelete
JetMove
JetSetSystemParameterA
JetBeginTransaction
JetCommitTransaction
JetRollback
JetEndSession
JetInit
JetTerm2
JetDetachDatabaseA
JetAttachDatabaseA
JetCreateDatabaseA
JetEscrowUpdate
JetGetTableColumnInfoA
JetCreateInstanceA
JetSetIndexRange
JetGetColumnInfoA
JetAddColumnA
JetCreateTableA
JetDeleteTableA
JetCreateIndex2A
JetCloseTable
JetRetrieveColumns
JetPrepareUpdate
JetGetBookmark
JetSetColumns
JetUpdate
JetGotoBookmark
JetMakeKey
JetSetCurrentIndexA
JetSeek
JetIndexRecordCount
JetIntersectIndexes

winspool.drv

ClosePrinter
GetPrinterDataW
OpenPrinterW
EnumPrinterDriversW

wmsgapi

WmsgPostNotifyMessage

api-ms-win-core-shlwapi-obsolete-l1-1-0

StrToIntW
StrToIntExW
StrChrW
StrRChrW

cfgmgr32

DevFreeObjectProperties
DevGetObjectProperties

shlwapi

PathIsRelativeW
SHDeleteKeyW
PathIsUNCW
PathStripToRootW
SHDeleteValueW
PathFindExtensionW
PathIsRootW

api-ms-win-service-private-l1-1-1

I_ScRegisterPreshutdownRestart

api-ms-win-security-lsalookup-l1-1-1

LookupAccountSidLocalW

api-ms-win-core-heap-l1-2-0

HeapAlloc
GetProcessHeap
HeapReAlloc
HeapFree

api-ms-win-core-string-l2-1-0

CharNextW

api-ms-win-core-version-l1-1-0

VerQueryValueW

sspicli

GetUserNameExW

ws2_32

WSAStartup
WSACleanup
WSASocketW
WSAIoctl
closesocket
WSAGetLastError

api-ms-win-power-setting-l1-1-0

PowerSettingRegisterNotification
PowerSettingUnregisterNotification

cabinet

ord45
ord21
ord22
ord20
ord23
ord43
ord40

wintrust

WTHelperProvDataFromStateData
WTHelperGetProvSignerFromChain
WinVerifyTrust
WTHelperGetProvCertFromChain

mspatcha

ApplyPatchToFileByHandles

version

GetFileVersionInfoSizeW
GetFileVersionInfoW

wevtapi

EvtGetChannelConfigProperty
EvtOpenChannelConfig
EvtClose

Exports

Exports

DllInstall
DllMain
DllRegisterServer
DllUnregisterServer
GeneralizeForImaging
GetAUOptionsEx
GetEngineStatusInfo
RegisterServiceVersion
ServiceHandler
ServiceMain
WUAutoUpdateAtShutdown
WUCheckForUpdatesAtShutdown
WUServiceMain

Sections

.text
Size: 3.2MB - Virtual size: 3.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGE
Size: 512B - Virtual size: 503B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 61KB - Virtual size: 61KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 125KB - Virtual size: 124KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 22KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 504B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 75KB - Virtual size: 74KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 21KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

0d0d0885931a5ec50e7f2fb78df8127f

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

ntdll

api-ms-win-core-debug-l1-1-1

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-security-base-l1-2-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-processenvironment-l1-2-0

api-ms-win-core-file-l2-1-1

api-ms-win-eventing-provider-l1-1-0

api-ms-win-service-core-l1-1-1

api-ms-win-core-handle-l1-1-0

api-ms-win-core-com-l1-1-1

api-ms-win-service-management-l1-1-0

api-ms-win-service-winsvc-l1-2-0

oleaut32

api-ms-win-core-string-l1-1-0

api-ms-win-core-localization-l1-2-1

api-ms-win-core-file-l1-2-1

rpcrt4

api-ms-win-core-timezone-l1-1-0

iphlpapi

api-ms-win-core-io-l1-1-1

api-ms-win-power-base-l1-1-0

winhttp

api-ms-win-core-realtime-l1-1-0

api-ms-win-devices-config-l1-1-1

crypt32

api-ms-win-service-management-l2-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-winrt-l1-1-0

userenv

api-ms-win-core-datetime-l1-1-1

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-memory-l1-1-2

kernel32

user32

shell32

esent

winspool.drv

wmsgapi

api-ms-win-core-shlwapi-obsolete-l1-1-0

cfgmgr32

shlwapi

api-ms-win-service-private-l1-1-1

api-ms-win-security-lsalookup-l1-1-1

api-ms-win-core-heap-l1-2-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-version-l1-1-0

sspicli

ws2_32

api-ms-win-power-setting-l1-1-0

cabinet

wintrust

mspatcha

version

wevtapi

Exports

Exports

Sections

.text Size: 3.2MB - Virtual size: 3.2MB

PAGE Size: 512B - Virtual size: 503B

.data Size: 61KB - Virtual size: 61KB

.pdata Size: 125KB - Virtual size: 124KB

.idata Size: 22KB - Virtual size: 22KB

.text
Size: 3.2MB - Virtual size: 3.2MB

PAGE
Size: 512B - Virtual size: 503B

.data
Size: 61KB - Virtual size: 61KB

.pdata
Size: 125KB - Virtual size: 124KB

.idata
Size: 22KB - Virtual size: 22KB

.didat
Size: 512B - Virtual size: 504B

.rsrc
Size: 75KB - Virtual size: 74KB

.reloc
Size: 21KB - Virtual size: 21KB