NEAS[.]9c345f9f46ad6e65d04edd92b2db5f20_JC[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

NEAS.9c345f9f46ad6e65d04edd92b2db5f20_JC.exe
Size

131KB
MD5

9c345f9f46ad6e65d04edd92b2db5f20
SHA1

94ec1aaf6651241b26d6f363e5467c417aa3320f
SHA256

536c875a0d5bd5a0ddf327f5dd2fa1a18c0287dca26218eaac006bd100e28e1b
SHA512

6727348a6beb0aa525e260a3ec2bb91061d9b8e2d8e758b133f12cb0c726d28ffa6a26592601178a8d87f4bd2a28911d56389f698f70b65209f00c5827e37d65
SSDEEP

3072:NLNZTnXruH2VHo1JridVjpa+Wr6Iptoruz7N7NIek6oWYp6:VzXKHItTWrlvQr6oWo

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
NEAS.9c345f9f46ad6e65d04edd92b2db5f20_JC.exe

Files

NEAS.9c345f9f46ad6e65d04edd92b2db5f20_JC.exe
.dll windows:10 windows x64

113cded7a5677a4fe55fae4c10f715cd

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

msvcrt

_onexit
_wcsicmp
memcpy
__dllonexit
_unlock
_lock
_initterm
_amsg_exit
_XcptFilter
memset
_callnewh
wcscpy_s
wcsncmp
_wcsnicmp
_purecall
wcsrchr
_wtoi
wcsnlen
wcsncpy_s
malloc
calloc
memmove_s
memcpy_s
_wcslwr_s
free
_vsnwprintf
swscanf
_ultow_s
time
iswalpha
towlower
__C_specific_handler
__CxxFrameHandler3
wcscmp

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapDestroy
GetProcessHeap
HeapReAlloc
HeapSize
HeapFree

api-ms-win-core-errorhandling-l1-1-0

GetLastError
RaiseException
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetLastError

api-ms-win-core-file-l1-1-0

RemoveDirectoryW
CreateFileW
GetTempFileNameW
FindClose
GetFileAttributesW
GetFullPathNameW
FindNextFileW
FindNextChangeNotification
FindCloseChangeNotification
FindFirstChangeNotificationW
CreateDirectoryW
GetShortPathNameW
CompareFileTime
GetFileAttributesExW
GetFileSizeEx
SetFilePointerEx
WriteFile
ReadFile
FindFirstFileW
DeleteFileW
SetFilePointer
CreateFileA
SetFileAttributesW

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
MultiByteToWideChar

api-ms-win-core-heap-l2-1-0

GlobalFree
GlobalAlloc
LocalFree

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW

api-ms-win-core-file-l2-1-0

MoveFileExW

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle

api-ms-win-core-file-l1-2-0

GetTempPathW

rpcrt4

UuidToStringW
RpcStringFreeW
UuidFromStringW

api-ms-win-core-string-l2-1-0

CharPrevW

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime
GetVersionExW

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime

api-ms-win-core-registry-l1-1-0

RegCloseKey
RegOpenKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
RegQueryValueExW
RegGetValueW
RegCreateKeyExW
RegSetValueExW

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceEnableFlags
TraceMessage
RegisterTraceGuidsW
UnregisterTraceGuids
GetTraceEnableLevel
GetTraceLoggerHandle

api-ms-win-core-synch-l1-1-0

WaitForSingleObject
CreateMutexW
ReleaseMutex
DeleteCriticalSection
LeaveCriticalSection
ResetEvent
EnterCriticalSection
InitializeCriticalSectionAndSpinCount
SetEvent
OpenMutexW
InitializeCriticalSection
CreateEventW
SleepEx

api-ms-win-eventing-provider-l1-1-0

EventUnregister
EventWrite
EventRegister

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW

api-ms-win-core-com-l1-1-0

StringFromIID
CoTaskMemFree
CoTaskMemAlloc
CoUninitialize
CoInitializeEx
PropVariantClear
CoCreateInstance

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
GetCurrentProcessId
OpenThreadToken
GetCurrentThread
TerminateProcess
OpenProcessToken
GetCurrentThreadId

api-ms-win-core-libraryloader-l1-2-0

LockResource
LoadResource
FindResourceExW
SizeofResource

winhttp

WinHttpCloseHandle
WinHttpConnect
WinHttpAddRequestHeaders
WinHttpSetStatusCallback
WinHttpSendRequest
WinHttpGetDefaultProxyConfiguration
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetProxyForUrl
WinHttpReceiveResponse
WinHttpSetOption
WinHttpOpenRequest
WinHttpQueryHeaders
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpOpen

api-ms-win-core-synch-l1-2-1

WaitForMultipleObjects

cabinet

ord22
ord20
ord23

api-ms-win-core-localization-l1-2-0

IsValidLocaleName
GetGeoInfoW
GetUserGeoID

api-ms-win-core-threadpool-l1-2-0

CloseThreadpoolCleanupGroup
CloseThreadpool
CreateThreadpoolWork
SubmitThreadpoolWork
CloseThreadpoolCleanupGroupMembers
CreateThreadpoolCleanupGroup
CallbackMayRunLong
SetThreadpoolThreadMinimum
CreateThreadpool
SetThreadpoolThreadMaximum

api-ms-win-core-namespace-l1-1-0

DeleteBoundaryDescriptor
CreateBoundaryDescriptorW
AddSIDToBoundaryDescriptor
OpenPrivateNamespaceW
ClosePrivateNamespace
CreatePrivateNamespaceW

api-ms-win-security-base-l1-1-0

InitializeSecurityDescriptor
CopySid
IsValidSid
SetSecurityDescriptorDacl
GetTokenInformation
FreeSid
InitializeAcl
GetLengthSid
AddAccessAllowedAceEx
AllocateAndInitializeSid

crypt32

CertVerifyCertificateChainPolicy

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlCaptureContext
RtlLookupFunctionEntry

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-kernel32-legacy-l1-1-0

RegisterWaitForSingleObject
MoveFileW

api-ms-win-core-threadpool-legacy-l1-1-0

UnregisterWaitEx

api-ms-win-core-registry-l2-1-0

RegDeleteKeyW

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW
lstrcmpW

ntdll

WinSqmSetString
WinSqmSetDWORD
WinSqmEndSession
WinSqmStartSession

user32

UnregisterClassA

shlwapi

ord12
UrlCanonicalizeW

propsys

InitPropVariantFromStringVector

xmllite

CreateXmlReader
CreateXmlWriter
CreateXmlWriterOutputWithEncodingName

wintrust

WTHelperGetProvSignerFromChain
WinVerifyTrust
WTHelperProvDataFromStateData

wer

WerReportSetParameter
WerReportAddFile
WerReportSubmit
WerReportCloseHandle
WerReportCreate

devrtl

NdxTableNextObject
NdxTableClose
NdxTableGetPropertyValue
NdxTableSetTypeDefinition
NdxTableFirstObject
NdxTableAddObject
NdxTableSetPropertyValue
NdxTableRemoveObject
NdxTableAddObjectToList
NdxTableObjectFromName
NdxTableOpen
NdxTableGetObjectType
NdxTableGetObjectName
NdxTableRemoveObjectFromList
NdxTableFirstObjectInList

Exports

Exports

DllCanUnloadNow
DllGetClassObject

Sections

.text
Size: 97KB - Virtual size: 97KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 25KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 376B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

113cded7a5677a4fe55fae4c10f715cd

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-file-l1-2-0

rpcrt4

api-ms-win-core-string-l2-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

winhttp

api-ms-win-core-synch-l1-2-1

cabinet

api-ms-win-core-localization-l1-2-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-namespace-l1-1-0

api-ms-win-security-base-l1-1-0

crypt32

api-ms-win-core-synch-l1-2-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-registry-l2-1-0

api-ms-win-core-string-obsolete-l1-1-0

ntdll

user32

shlwapi

propsys

xmllite

wintrust

wer

devrtl

Exports

Exports

Sections

.text Size: 97KB - Virtual size: 97KB

.rdata Size: 25KB - Virtual size: 24KB

.data Size: 1024B - Virtual size: 2KB

.pdata Size: 3KB - Virtual size: 3KB

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 512B - Virtual size: 376B

.text
Size: 97KB - Virtual size: 97KB

.rdata
Size: 25KB - Virtual size: 24KB

.data
Size: 1024B - Virtual size: 2KB

.pdata
Size: 3KB - Virtual size: 3KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 512B - Virtual size: 376B