NEAS[.]a5a656f8283872636e70dc13482c2020_JC[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

NEAS.a5a656f8283872636e70dc13482c2020_JC.exe
Size

2.5MB
MD5

a5a656f8283872636e70dc13482c2020
SHA1

3c176ab3247dc48c50714f8ca55b63399fa8b381
SHA256

1ff2cd9cdc5411cb9ee7ba2b1607369b86dbd31027c6d473b198186fdfef6733
SHA512

630839d22be94281c2ba17172e9f4060dd947f2b2172b352743bdec3f52adfa14b18c3b3121659a7052ef0e55ff7d54e03ee45e1f58762102b370e62b024dcc0
SSDEEP

49152:YdkDdXxHt7L46ky1+nhUZ6wD/L1mvDPI+0IFjktLyjwYWlkssvNEfH9so:Ydedh1LSy1+nU/AvDPIywY2ssH9

Score

1^/10

Malware Config

Signatures

Files

NEAS.a5a656f8283872636e70dc13482c2020_JC.exe
.exe windows:5 windows x86

8bfffa32e5156cae4c6795412364870c

Code Sign

33:00:00:00:5a:ed:2f:f4:e4:20:99:3f:3a:00:00:00:00:00:5a
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2014, 17:13

Not After

23/08/2015, 17:13

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:B8EC-30A4-7144,O=Microsoft Corporation,L=Redmond,ST=WA,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:00:ca:6c:d5:32:12:35:c4:e1:55:00:01:00:00:00:ca
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/04/2014, 17:39

Not After

22/07/2015, 17:39

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

9b:1a:38:1b:71:0b:6e:d4:c4:b3:51:ed:78:c9:37:c3:43:68:31:69
Signer

Actual PE Digest

9b:1a:38:1b:71:0b:6e:d4:c4:b3:51:ed:78:c9:37:c3:43:68:31:69

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP

Imports

advapi32

RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
EventWrite
EventRegister
EventUnregister
OpenTraceW
ProcessTrace
CloseTrace
StartTraceW
ControlTraceW
GetLengthSid
EnableTrace
RegDeleteKeyW
RegDeleteValueW
RegEnumKeyExW
RegEnumValueW
RegQueryInfoKeyW
RegQueryValueExW
RegSetValueExW
RegDeleteTreeW
RegGetValueW
OpenProcessToken
GetTokenInformation
RevertToSelf
EventWriteTransfer
OpenThreadToken
CopySid
GetSidSubAuthority
IsValidSid
AddAccessAllowedAce
AddAccessDeniedAce
AllocateAndInitializeSid
CheckTokenMembership
CreateWellKnownSid
EqualSid
FreeSid
GetSecurityDescriptorDacl
InitializeAcl
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
ConvertSidToStringSidA
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegNotifyChangeKeyValue
CreateProcessAsUserW
GetSidSubAuthorityCount
CredWriteW
CloseServiceHandle
OpenSCManagerW
OpenServiceW
QueryServiceConfigW
QueryServiceStatusEx

kernel32

K32GetModuleFileNameExW
FreeLibrary
GetModuleHandleW
GetProcAddress
LoadLibraryExW
LoadResource
SizeofResource
FindResourceW
OpenProcess
OutputDebugStringA
CreateThread
GetModuleHandleA
LoadLibraryW
FlsGetValue
FlsSetValue
ReleaseSemaphore
DuplicateHandle
MapViewOfFile
UnmapViewOfFile
ReleaseMutex
CreateEventW
GetTickCount
QueryFullProcessImageNameW
WerRegisterMemoryBlock
WerUnregisterMemoryBlock
GetCurrentThread
GetProcessAffinityMask
SetThreadAffinityMask
WaitForMultipleObjectsEx
InterlockedPopEntrySList
IsProcessorFeaturePresent
CreateIoCompletionPort
GetQueuedCompletionStatus
PostQueuedCompletionStatus
Sleep
GetThreadIOPendingFlag
RtlCaptureStackBackTrace
ResetEvent
IsDebuggerPresent
WaitForSingleObject
WaitForMultipleObjects
MulDiv
CreateMemoryResourceNotification
IsSystemResumeAutomatic
GetSystemPowerStatus
GetModuleHandleExW
GetStringTypeW
GetVersionExW
GlobalMemoryStatusEx
GetComputerNameW
GetDiskFreeSpaceExW
GetSystemDirectoryW
GetLogicalProcessorInformation
GetNativeSystemInfo
FormatMessageW
CreateMutexA
CreateEventA
OpenEventA
OpenMutexA
CreateSemaphoreA
OpenSemaphoreA
CreateEventExW
OpenFileMappingA
GlobalAlloc
GlobalFree
HeapAlloc
HeapFree
GetProcessHeap
LocalAlloc
OutputDebugStringW
GetShortPathNameA
ExpandEnvironmentStringsW
CreateDirectoryW
VirtualAlloc
VirtualFree
SignalObjectAndWait
SetWaitableTimerEx
CancelWaitableTimer
CreateWaitableTimerW
QueryDepthSList
TryEnterCriticalSection
InitializeSListHead
InterlockedPushEntrySList
GetTempPathW
TerminateProcess
GetShortPathNameW
ReadFile
WriteFile
CreateFileW
GetFileSizeEx
LockResource
SetFileAttributesW
RemoveDirectoryW
GetDriveTypeW
SetEndOfFile
SetFilePointerEx
GetOverlappedResult
DeviceIoControl
FlushFileBuffers
CancelIoEx
GetFileType
CopyFileW
GetTempFileNameW
SetFileInformationByHandle
GetLocaleInfoEx
LocaleNameToLCID
LCIDToLocaleName
IsValidLocale
GetSystemDefaultLCID
GetUserDefaultLCID
GetSystemDefaultLocaleName
EnumSystemLocalesEx
SwitchToThread
SystemTimeToTzSpecificLocalTime
GetProductInfo
LocalFree
GetCPInfoExW
GetStringTypeExW
FileTimeToSystemTime
GetTempPathA
DeleteFileA
GetModuleFileNameA
CreateProcessW
GetLocalTime
lstrcmpW
FindFirstFileW
GetCurrentDirectoryW
GetFullPathNameW
SetEvent
LeaveCriticalSection
EnterCriticalSection
QueryPerformanceFrequency
CloseHandle
GetCurrentThreadId
AcquireSRWLockShared
AcquireSRWLockExclusive
ReleaseSRWLockShared
ReleaseSRWLockExclusive
MultiByteToWideChar
GetModuleFileNameW
CompareStringEx
LoadLibraryExA
LoadLibraryA
OpenThread
K32GetProcessImageFileNameW
AllocConsole
AttachConsole
FreeConsole
GetUserGeoID
VerifyVersionInfoW
GetUserDefaultLocaleName
IsValidCodePage
WideCharToMultiByte
SetLastError
GetFileInformationByHandleEx
WaitForSingleObjectEx
GetTickCount64
GetFileAttributesExW
QueryPerformanceCounter
QueryUnbiasedInterruptTime
SystemTimeToFileTime
InitializeSRWLock
GetSystemTimeAsFileTime
GetCurrentProcessId
FindNextFileW
FindFirstFileExW
FindClose
GetLongPathNameW
DeleteFileW
VerSetConditionMask
K32EnumProcesses
GetPriorityClass
GetExitCodeProcess
ProcessIdToSessionId
ReadConsoleW
WriteConsoleW
SetStdHandle
GetConsoleMode
GetConsoleCP
GetOEMCP
GetACP
UnregisterWaitEx
InterlockedFlushSList
FreeLibraryAndExitThread
IsWow64Process
GetCurrentProcess
DeleteCriticalSection
InitializeCriticalSectionEx
FlsFree
FlsAlloc
GetLastError
CreateFileMappingA
GetExitCodeThread
EncodePointer
DecodePointer
GetCommandLineW
RaiseException
RtlUnwind
HeapReAlloc
HeapSize
UnhandledExceptionFilter
SetUnhandledExceptionFilter
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
CreateSemaphoreW
GetCPInfo
CreateTimerQueue
SetThreadPriority
GetThreadPriority
CreateTimerQueueTimer
ChangeTimerQueueTimer
DeleteTimerQueueTimer
GetNumaHighestNodeNumber
RegisterWaitForSingleObject
UnregisterWait
CompareStringW
LCMapStringW
GetLocaleInfoW
EnumSystemLocalesW
ExitProcess
GetStdHandle
GetEnvironmentStringsW
FreeEnvironmentStringsW
VirtualProtect
GetThreadTimes

ole32

CoCreateInstance
CoTaskMemFree
StringFromIID
CoRevokeInitializeSpy
CoRegisterInitializeSpy
CreateStreamOnHGlobal
CoCreateGuid
CLSIDFromString
StringFromGUID2
IIDFromString
CoInitializeEx
CoUninitialize
CoTaskMemAlloc

oleaut32

SysAllocString
VariantInit
VariantClear
SysFreeString

ws2_32

FreeAddrInfoW
GetAddrInfoW
WSAStartup

gdi32

Rectangle
CreatePen
CreateFontW
SetTextColor
SetBkColor
GetStockObject
SelectObject
DeleteObject
GetDeviceCaps
SetDCPenColor
GetTextMetricsW
GetTextExtentPoint32W
CreateSolidBrush
SetDCBrushColor

gdiplus

GdipCreateFromHDC
GdipDeleteGraphics
GdipDrawImageRectRectI
GdipAlloc
GdipFree
GdiplusStartup
GdipCloneBrush
GdipDeleteBrush
GdipCreateSolidFill
GdipLoadImageFromStream
GdipCloneImage
GdipDisposeImage
GdipGetImageGraphicsContext
GdipGetImageWidth
GdipGetImageHeight
GdipCreateBitmapFromScan0
GdipFillRectangleI
GdipDrawImageRectI

wintrust

WinVerifyTrust

iphlpapi

FreeMibTable
CreateSortedAddressPairs

cabinet

ord13
ord10
ord14

setupapi

SetupIterateCabinetW

Sections

.text
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 468KB - Virtual size: 468KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 128KB - Virtual size: 135KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 561KB - Virtual size: 561KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 84KB - Virtual size: 84KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

8bfffa32e5156cae4c6795412364870c

Code Sign

33:00:00:00:5a:ed:2f:f4:e4:20:99:3f:3a:00:00:00:00:00:5aCertificate

Extended Key Usages

33:00:00:00:ca:6c:d5:32:12:35:c4:e1:55:00:01:00:00:00:caCertificate

Extended Key Usages

61:33:26:1a:00:00:00:00:00:31Certificate

Key Usages

61:16:68:34:00:00:00:00:00:1cCertificate

Extended Key Usages

Key Usages

9b:1a:38:1b:71:0b:6e:d4:c4:b3:51:ed:78:c9:37:c3:43:68:31:69Signer

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

ole32

oleaut32

ws2_32

gdi32

gdiplus

wintrust

iphlpapi

cabinet

setupapi

Sections

.text Size: 1.2MB - Virtual size: 1.2MB

.rdata Size: 468KB - Virtual size: 468KB

.data Size: 128KB - Virtual size: 135KB

.rsrc Size: 561KB - Virtual size: 561KB

.reloc Size: 84KB - Virtual size: 84KB

33:00:00:00:5a:ed:2f:f4:e4:20:99:3f:3a:00:00:00:00:00:5a
Certificate

33:00:00:00:ca:6c:d5:32:12:35:c4:e1:55:00:01:00:00:00:ca
Certificate

61:33:26:1a:00:00:00:00:00:31
Certificate

61:16:68:34:00:00:00:00:00:1c
Certificate

9b:1a:38:1b:71:0b:6e:d4:c4:b3:51:ed:78:c9:37:c3:43:68:31:69
Signer

.text
Size: 1.2MB - Virtual size: 1.2MB

.rdata
Size: 468KB - Virtual size: 468KB

.data
Size: 128KB - Virtual size: 135KB

.rsrc
Size: 561KB - Virtual size: 561KB

.reloc
Size: 84KB - Virtual size: 84KB