NEAS[.]b0f367bb5e5cd5e45ae9557d800f7c40_JC[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

NEAS.b0f367bb5e5cd5e45ae9557d800f7c40_JC.exe
Size

2.3MB
MD5

b0f367bb5e5cd5e45ae9557d800f7c40
SHA1

87220c8eb88abfcd6f0a0bd858ec2829da434d47
SHA256

76edaa2099f31d092a07c4b88c9751ef487abf00221151e1a110671a63601e81
SHA512

27428c7452a821ef1d03e99f841e7e06ecdb9c56d2146a78d7dfa1009a7de9fc9e02f0f60dedfd4c4f2e5fa2726ff66f83be0c0afb3864911c185529039072fb
SSDEEP

49152:RkuMSFrbhm9gGTaNj1jAQXs3qlpu+Fy+U5336:a6BQQ83qpY3K

Score

1^/10

Malware Config

Signatures

Files

NEAS.b0f367bb5e5cd5e45ae9557d800f7c40_JC.exe
.dll windows:5 windows x64

1c7cafd593fd9dc92fb3770683951160

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

44:51:ad:37:17:cf:a2:23:71:ff:bc:07:df:13:e6:5d
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

17/10/2013, 00:00

Not After

15/11/2016, 23:59

Subject

CN=VMware\, Inc.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=VMware\, Inc.,L=Palo Alto,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:19:93:e4:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/02/2011, 19:25

Not After

22/02/2021, 19:35

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

91:a5:ee:6a:9b:d4:94:82:c1:4b:98:9d:74:fe:d9:47:10:31:a8:e8
Signer

Actual PE Digest

91:a5:ee:6a:9b:d4:94:82:c1:4b:98:9d:74:fe:d9:47:10:31:a8:e8

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

kernel32

GetVersion
GetFileType
QueryPerformanceCounter
GlobalMemoryStatus
FlushConsoleInputBuffer
SetEnvironmentVariableA
GetLocaleInfoA
GetStringTypeW
GetStringTypeA
CreateFileA
InitializeCriticalSectionAndSpinCount
LCMapStringW
LCMapStringA
GetProcessHeap
WriteConsoleW
GetConsoleOutputCP
SetStdHandle
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStrings
RtlVirtualUnwind
SystemTimeToFileTime
SetFilePointer
SetEndOfFile
FlushFileBuffers
CompareStringA
GetSystemTime
UnmapViewOfFile
OpenFileMappingA
CreateFileMappingA
MapViewOfFile
RegisterWaitForSingleObject
UnregisterWaitEx
CompareFileTime
FindResourceW
LoadResource
SizeofResource
LockResource
GetModuleFileNameA
WriteConsoleInputW
FreeConsole
GetFileSize
ReadFile
GetComputerNameExW
FindFirstFileW
FindNextFileW
FindClose
GetConsoleWindow
GetStdHandle
WriteConsoleA
GetDiskFreeSpaceExW
ReleaseMutex
CreateMutexA
OutputDebugStringW
VirtualAlloc
LocalAlloc
CreateEventA
WriteFile
GetSystemTimeAsFileTime
FileTimeToSystemTime
FileTimeToLocalFileTime
GetWindowsDirectoryW
OpenEventA
CreateDirectoryW
CreateProcessW
VirtualFree
SetUnhandledExceptionFilter
ExitProcess
RaiseException
GetEnvironmentVariableW
GetModuleHandleExW
SetEnvironmentVariableW
CreateThread
TlsGetValue
FormatMessageW
TlsAlloc
TlsSetValue
CreateFileW
IsBadStringPtrW
IsBadReadPtr
SuspendThread
GetThreadContext
DuplicateHandle
GetThreadPriority
FreeLibrary
GetSystemDirectoryW
GetComputerNameW
ResetEvent
SetErrorMode
LoadLibraryA
GetModuleHandleA
lstrlenW
LocalFree
GetCurrentProcess
GetProcessAffinityMask
GetTickCount
OpenEventW
DisableThreadLibraryCalls
GetProcAddress
LoadLibraryW
WideCharToMultiByte
WTSGetActiveConsoleSessionId
ProcessIdToSessionId
GetModuleFileNameW
FreeEnvironmentStringsA
GetStartupInfoA
SetHandleCount
HeapSize
HeapDestroy
HeapCreate
HeapSetInformation
FlsAlloc
FlsFree
FlsGetValue
DecodePointer
EncodePointer
IsValidCodePage
GetOEMCP
GetACP
GetCPInfo
SetConsoleMode
ReadConsoleInputA
GetTimeZoneInformation
GetConsoleMode
GetConsoleCP
DeleteFileW
SetConsoleCtrlHandler
GetFileAttributesW
RtlPcToFileHeader
RtlUnwindEx
ExitThread
GetCommandLineA
FlsSetValue
HeapReAlloc
RtlCaptureContext
RtlLookupFunctionEntry
IsDebuggerPresent
UnhandledExceptionFilter
HeapAlloc
HeapFree
TlsFree
GetShortPathNameW
TerminateProcess
GetVersionExW
OpenProcess
ResumeThread
CloseHandle
SetThreadAffinityMask
GetCurrentThreadId
WaitForMultipleObjects
CreateEventW
SetThreadPriority
MultiByteToWideChar
Sleep
GetCurrentThread
SetEvent
WaitForSingleObject
GetModuleHandleW
GetSystemDefaultLangID
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
TryEnterCriticalSection
GetCurrentProcessId
ExpandEnvironmentStringsW
SetLastError
GetLastError
CompareStringW
ExpandEnvironmentStringsA

user32

wsprintfW
CharLowerBuffW
AdjustWindowRectEx
SetForegroundWindow
ShowWindow
SystemParametersInfoW
GetDesktopWindow
GetProcessWindowStation
GetUserObjectInformationW
CharLowerW
CharLowerBuffA
MessageBoxW
LoadStringW
MonitorFromRect
GetMonitorInfoW
GetWindowPlacement
SendInput
GetWindow
SendMessageW
GetWindowLongW

advapi32

CryptContextAddRef
RegSetKeyValueW
RegOpenKeyExW
RegCloseKey
CredIsProtectedW
CredProtectW
CreateWellKnownSid
FreeSid
SetSecurityInfo
SetEntriesInAclW
AllocateAndInitializeSid
GetSecurityInfo
GetSidSubAuthority
GetSidSubAuthorityCount
GetSidIdentifierAuthority
LookupAccountSidW
GetTokenInformation
OpenProcessToken
OpenThreadToken
AccessCheck
SetSecurityDescriptorOwner
SetSecurityDescriptorGroup
SetSecurityDescriptorDacl
AddAccessAllowedAce
InitializeAcl
GetLengthSid
InitializeSecurityDescriptor
DuplicateToken
CryptGenRandom
DeregisterEventSource
RegDeleteValueW
CryptHashSessionKey
CryptDeriveKey
CryptImportKey
CryptSetKeyParam
RegGetKeySecurity
ConvertSecurityDescriptorToStringSecurityDescriptorW
CryptEncrypt
CryptCreateHash
CryptSignHashW
CryptHashData
RegDeleteKeyW
CryptDestroyHash
RegSetValueExA
RegCreateKeyExA
CryptExportKey
CryptAcquireContextA
CryptGenKey
RegisterEventSourceW
ReportEventW
RegNotifyChangeKeyValue
RegEnumValueA
RegQueryValueExA
RegOpenKeyExA
CryptDecrypt
LookupAccountNameW
CryptGetUserKey
CryptGetKeyParam
CryptDestroyKey
CryptAcquireContextW
CryptGetProvParam
CryptReleaseContext
CryptSetProvParam
RegEnumValueW
RegEnumKeyExW
RegSetValueExW
RegCreateKeyExW
AddAccessDeniedAce
LookupPrivilegeValueW
AdjustTokenPrivileges
GetUserNameW
RegQueryValueExW

shell32

SHGetSpecialFolderPathW
SHAppBarMessage
SHGetDesktopFolder
SHGetMalloc
SHGetPathFromIDListW

ole32

CoInitializeEx
CoCreateInstance
CoTaskMemAlloc
CoTaskMemFree

wtsapi32

WTSDisconnectSession
WTSQuerySessionInformationW
WTSFreeMemory
WTSQuerySessionInformationA

rpcrt4

UuidCreate
UuidToStringW
RpcStringFreeW
UuidFromStringW

ws2_32

connect
getnameinfo
socket
getaddrinfo
listen
bind
setsockopt
freeaddrinfo
WSACleanup
send
htonl
ntohl
ntohs
accept
closesocket
htons
WSAGetLastError
WSAStartup
recv

secur32

QuerySecurityPackageInfoW
LsaConnectUntrusted
LsaDeregisterLogonProcess
FreeCredentialsHandle
DeleteSecurityContext
FreeContextBuffer
LsaLookupAuthenticationPackage
EncryptMessage
DecryptMessage
InitializeSecurityContextW
QueryContextAttributesW
AcceptSecurityContext
CompleteAuthToken
AcquireCredentialsHandleW

shlwapi

SHStrDupW
SHDeleteKeyW
StrCpyNW

version

VerQueryValueW
GetFileVersionInfoW

winscard

SCardListReadersW
SCardListCardsW
SCardGetCardTypeProviderNameW
SCardReleaseContext
SCardGetStatusChangeA
SCardFreeMemory
SCardAccessStartedEvent
SCardGetStatusChangeW
SCardEstablishContext
SCardReleaseStartedEvent
SCardCancel
SCardListReadersA

crypt32

CryptAcquireCertificatePrivateKey
CertDeleteCertificateFromStore
CertVerifyTimeValidity
CertVerifyCertificateChainPolicy
CertCreateCertificateChainEngine
CertFreeCertificateChainEngine
CertFindCertificateInStore
CertStrToNameW
CertCreateSelfSignCertificate
CertNameToStrW
CertSetCertificateContextProperty
CertCreateCertificateContext
CertGetCertificateContextProperty
CertGetNameStringW
CertGetIntendedKeyUsage
CertGetEnhancedKeyUsage
CertGetCertificateChain
CertFreeCertificateChain
CertOpenSystemStoreW
CertEnumPhysicalStore
CertEnumCertificatesInStore
CertCompareCertificate
CertOpenStore
CertAddCertificateContextToStore
CertCloseStore
CertFreeCertificateContext
CertDuplicateCertificateContext

cryptui

CryptUIDlgViewCertificateW

Exports

Exports

DllCanUnloadNow
DllGetClassObject

Sections

.text
Size: 1.5MB - Virtual size: 1.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 556KB - Virtual size: 555KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 143KB - Virtual size: 164KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 109KB - Virtual size: 109KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

1c7cafd593fd9dc92fb3770683951160

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

44:51:ad:37:17:cf:a2:23:71:ff:bc:07:df:13:e6:5dCertificate

Extended Key Usages

Key Usages

61:19:93:e4:00:00:00:00:00:1cCertificate

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

91:a5:ee:6a:9b:d4:94:82:c1:4b:98:9d:74:fe:d9:47:10:31:a8:e8Signer

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shell32

ole32

wtsapi32

rpcrt4

ws2_32

secur32

shlwapi

version

winscard

crypt32

cryptui

Exports

Exports

Sections

.text Size: 1.5MB - Virtual size: 1.5MB

.rdata Size: 556KB - Virtual size: 555KB

.data Size: 143KB - Virtual size: 164KB

.pdata Size: 109KB - Virtual size: 109KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 19KB - Virtual size: 18KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

44:51:ad:37:17:cf:a2:23:71:ff:bc:07:df:13:e6:5d
Certificate

61:19:93:e4:00:00:00:00:00:1c
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

91:a5:ee:6a:9b:d4:94:82:c1:4b:98:9d:74:fe:d9:47:10:31:a8:e8
Signer

.text
Size: 1.5MB - Virtual size: 1.5MB

.rdata
Size: 556KB - Virtual size: 555KB

.data
Size: 143KB - Virtual size: 164KB

.pdata
Size: 109KB - Virtual size: 109KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 19KB - Virtual size: 18KB