NEAS[.]1bd19a8801426dee290460bced585e20_JC[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

NEAS.1bd19a8801426dee290460bced585e20_JC.exe
Size

103KB
MD5

1bd19a8801426dee290460bced585e20
SHA1

83b8436d24914fb2a2bec2d6a34786e1a7b84ea0
SHA256

f18f1bff93988a2ea3bde99241a62998f6249eb68cecd95791f159238d50f689
SHA512

8334f1839cccaeff41c0729b53933580f20c8900eb5d9f83b3d4d819335734420c53928f243e533920e25ed55cadbad47d4060b2e9e055f78f968c61ac7e10a4
SSDEEP

3072:bZHoWvO7oV0tbSSpmRypvhZxyvOJIduvQh:toWvDV0tbSSpmRypvhZ6OJIduG

Score

1^/10

Malware Config

Signatures

Files

NEAS.1bd19a8801426dee290460bced585e20_JC.exe
.exe windows:5 windows x86

e4dcd23a47032fe52ac0856d07b6cf4b

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15-06-2007 00:00

Not After

14-06-2012 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04-12-2003 00:00

Not After

03-12-2013 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16-07-2004 00:00

Not After

15-07-2014 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

68:39:1d:bc:21:90:5e:b8:0d:57:dc:81:89:ec:96:db
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

06-08-2008 00:00

Not After

12-08-2010 23:59

Subject

CN=Lenel Systems International Inc.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Lenel Systems International Inc.,L=Pittsford,ST=New York,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

1e:a4:96:73:52:fc:c0:d5:da:18:bb:2e:a0:91:0b:ac:3b:9e:31:cd
Signer

Actual PE Digest

1e:a4:96:73:52:fc:c0:d5:da:18:bb:2e:a0:91:0b:ac:3b:9e:31:cd

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

lnlutilityu

?InitInstance@BaseApp@utility@lenel@@UAEHXZ
?SetAppName@BaseApp@utility@lenel@@QAEXPB_W@Z
??_7CResult@@6B@
?LogError@CLogger@@SAXPB_WABVCResult@@0K0_N@Z
?GetComputerNameW@SysInfo@utility@lenel@@SAHAAV?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@_N1@Z
?LogError@CLogger@@SAXPB_WABVCResult@@0K_N@Z
?LogError@CLogger@@SAXPB_WABVCResult@@0KPAVCException@@0_N@Z

acloginu

?LoginAsSA@CAcsUser@@QAE_NXZ
??0CAcsUser@@QAE@_N000@Z
?Decrypt@CLnlEncrypt@@QAEHPB_WAAV?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@@Z
?Encrypt@CLnlEncrypt@@QAEHPB_WAAV?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@@Z
?BinToASCII@CLnlEncrypt@@QAEXABV?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@AAV23@@Z
?BinFromASCII@CLnlEncrypt@@QAEXABV?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@AAV23@@Z
?Logout@CAcsUser@@QAEXXZ
??1CAcsUser@@UAE@XZ
?GetRuntimeClass@CLnlEncrypt@@UBEPAUCRuntimeClass@@XZ

lnlctlu

??0CAboutDlg@@QAE@PB_W0PAV?$map@V?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@V12@U?$less@V?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@@std@@V?$allocator@U?$pair@$$CBV?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@V12@@std@@@4@@std@@@Z
?DoModal@WhiteDialog@@UAEHXZ
??1CAboutDlg@@UAE@XZ

dataexchangeengineu

?GetRuntimeClass@CExchange@@UBEPAUCRuntimeClass@@XZ
??1CConfig@@UAE@XZ
?Load@CConfig@@QAEXJ@Z
?Run@CConfig@@QAEJJ@Z
??0CConfig@@QAE@PAVCAcsUser@@@Z

lnlcmnu

?Logout@CLnlApp@@UAEHH@Z
?GetRuntimeClass@CLnlApp@@UBEPAUCRuntimeClass@@XZ
?PreTranslateMessage@CLnlApp@@UAEHPAUtagMSG@@@Z
?Login@CLnlApp@@UAEHPB_W00HH@Z
?ExitInstance@CLnlApp@@UAEHXZ
?StartUsingLicenseSystem@CLnlApp@@IAE_N_N0@Z
??0CLnlApp@@IAE@_N0PB_W@Z
?FeatureValueAsBoolean@CLnlApp@@QAE_NPB_W@Z
?TimeElapsed@CLnlApp@@UAEXPAVCTimer@utility@lenel@@@Z
?ForcedLogout@CLnlApp@@MAEXXZ
?VerifyLogin@CLnlApp@@MAEHPAVCAcsUser@@@Z
?SetAppTitle@CLnlApp@@UAEXPB_W@Z
?Login@CLnlApp@@UAEHHH@Z
?LoginAsSA@CLnlApp@@UAEHPB_W@Z
??1CLnlApp@@UAE@XZ

mfc90u

ord6466
ord1728
ord4702
ord5154
ord3743
ord5664
ord4603
ord6800
ord5512
ord2074
ord5601
ord4664
ord1493
ord4345
ord1751
ord1754
ord6411
ord3355
ord4378
ord5294
ord5297
ord4800
ord4805
ord4802
ord4820
ord4823
ord4807
ord5210
ord5020
ord4599
ord4590
ord5418
ord5224
ord4866
ord793
ord5624
ord2232
ord3993
ord5548
ord6019
ord5663
ord4997
ord2448
ord5677
ord3819
ord779
ord670
ord585
ord576
ord415
ord4685
ord1442
ord3225
ord6375
ord3682
ord4697
ord1380
ord2369
ord5655
ord5598
ord4344
ord1681
ord4429
ord2650
ord2651
ord3287
ord5803
ord980
ord6381
ord3230
ord6379
ord3229
ord5338
ord3232
ord4553
ord4730
ord5450
ord5447
ord2860
ord2079
ord2445
ord5354
ord1727
ord788
ord5615
ord4451
ord2189
ord2341
ord2340
ord6338
ord4720
ord5685
ord4971
ord4965
ord4710
ord6604
ord2619
ord3952
ord593
ord3235
ord796
ord1884
ord265
ord3868
ord554
ord758
ord5908
ord1041
ord6510
ord1100
ord2537
ord5650
ord3140
ord4910
ord4693
ord588
ord4896
ord4895
ord4042
ord3948
ord5137
ord650
ord4994
ord2859
ord2867
ord6762
ord2204
ord2239
ord5606
ord6044
ord1462
ord5861
ord3009
ord5945
ord4677
ord5285
ord5171
ord2090
ord4641
ord3340
ord3035
ord6439
ord6553
ord4906
ord4684
ord388
ord4004
ord3803
ord813
ord6741
ord5830
ord4213
ord2087
ord3217
ord5674
ord5676
ord4347
ord4996
ord5680
ord6018
ord2771
ord2983
ord3112
ord4728
ord2966
ord3115
ord2774
ord2893
ord2764
ord4080
ord4081
ord4071
ord2891
ord4348
ord4905
ord4681
ord4442
ord1220
ord570
ord996
ord2084
ord4897
ord5683
ord960
ord965
ord969
ord967
ord971
ord2615
ord4007
ord2635
ord4893
ord4890
ord4043
ord3589
ord1108
ord1137
ord2536
ord2625
ord2623
ord939
ord290
ord4448
ord4423
ord2621
ord2638
ord2633
ord2617
ord2640
ord2628
ord2610
ord2612
ord2630
ord2375
ord2368
ord1641
ord6802
ord4174
ord6804
ord3681
ord5404
ord6376
ord3226
ord1441
ord2139
ord1792
ord2597
ord1791
ord280
ord4494
ord811
ord1599
ord6801
ord4173
ord6803
ord4747
ord2251
ord2206
ord6035
ord4179
ord1183
ord286
ord6699
ord296
ord1272
ord2694
ord3185
ord935
ord938
ord4985
ord1048
ord909
ord266
ord600
ord799
ord801
ord4212

msvcr90

wcslen
malloc
_wsplitpath
_swprintf
free
_wcsnset
wcsncpy
memset
printf
_crt_debugger_hook
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_controlfp_s
_invoke_watson
_except_handler4_common
_decode_pointer
_onexit
_lock
__dllonexit
_unlock
?terminate@@YAXXZ
__set_app_type
_encode_pointer
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_configthreadlocale
_initterm_e
_initterm
_wcmdln
exit
_XcptFilter
_exit
_cexit
__wgetmainargs
_amsg_exit
memcpy
_purecall
??0exception@std@@QAE@ABV01@@Z
_CxxThrowException
_invalid_parameter_noinfo
__CxxFrameHandler3
??0exception@std@@QAE@XZ
??1exception@std@@UAE@XZ
wcscpy

kernel32

LeaveCriticalSection
EnterCriticalSection
Sleep
InitializeCriticalSection
GetCurrentThread
CloseHandle
GetExitCodeThread
SetEvent
ResumeThread
ResetEvent
GetPrivateProfileIntW
InterlockedExchange
InterlockedCompareExchange
SetThreadPriority
CreateEventW
CreateMutexW
GetLastError
WaitForSingleObject
TerminateThread
TryEnterCriticalSection
GetVersionExW
GetModuleFileNameW
GetStartupInfoW
DeleteCriticalSection
SetUnhandledExceptionFilter
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
IsDebuggerPresent
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetSystemTimeAsFileTime

user32

GetLastActivePopup
IsIconic
SetForegroundWindow
EnableWindow
DefWindowProcW
LoadIconW
LoadCursorW
FindWindowW

advapi32

RegisterEventSourceW
QueryServiceStatus
OpenServiceW
OpenSCManagerW
SetServiceStatus
RegisterServiceCtrlHandlerW
StartServiceCtrlDispatcherW
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
RegCloseKey
RegSetValueExW
RegCreateKeyW
DeregisterEventSource
ReportEventW

msvcp90

??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ

rpcns4

RpcNsBindingExportW
RpcNsBindingUnexportW

rpcrt4

RpcServerRegisterIf
RpcServerInqBindings
RpcServerUseProtseqIfW
RpcServerUseProtseqEpW
RpcServerUseProtseqW
RpcServerUseAllProtseqsIf
RpcServerUseAllProtseqs
RpcServerInqIf
RpcMgmtWaitServerListen
RpcServerUnregisterIf
RpcServerRegisterIfEx
NdrServerInitializeNew
NdrConvert
RpcRaiseException
I_RpcGetBuffer
RpcMgmtStopServerListening
RpcEpRegisterW
RpcBindingVectorFree
RpcServerListen
RpcEpUnregister

Exports

Exports

??0UserTranObject@lenel@@QAE@XZ
??0UserTranOperation@lenel@@QAE@XZ
??1CLnlEncrypt@@UAE@XZ
??1UserTranObject@lenel@@UAE@XZ
??1UserTranOperation@lenel@@UAE@XZ
??_7CLnlEncrypt@@6B@
??_7UserTranObject@lenel@@6B@
??_7UserTranOperation@lenel@@6B@
?DecryptDbField@CLnlEncrypt@@QAEHPB_WAAV?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@@Z
?DecryptFromString@CLnlEncrypt@@QAEXPB_WAAV?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@@Z
?DecryptUserPassword@CLnlEncrypt@@QAEXPB_WAAV?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@@Z
?DetermineMaxSourceLen@CLnlEncrypt@@QAEJH@Z
?EncryptToString@CLnlEncrypt@@QAEXPB_WAAV?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@@Z
?EncryptUserPassword@CLnlEncrypt@@QAEXPB_WAAV?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@@Z
?GetASCIILenBytePos@CLnlEncrypt@@AAEJJ@Z
?Is7BitEncryption@CLnlEncrypt@@QAEHXZ
?Rand@CLnlEncrypt@@AAEKXZ
?SRand@CLnlEncrypt@@AAEXK@Z
?Set7BitEncryption@CLnlEncrypt@@QAEXH@Z

Sections

.text
Size: 40KB - Virtual size: 39KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 35KB - Virtual size: 34KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 11KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e4dcd23a47032fe52ac0856d07b6cf4b

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2Certificate

Extended Key Usages

Key Usages

68:39:1d:bc:21:90:5e:b8:0d:57:dc:81:89:ec:96:dbCertificate

Extended Key Usages

Key Usages

1e:a4:96:73:52:fc:c0:d5:da:18:bb:2e:a0:91:0b:ac:3b:9e:31:cdSigner

Headers

DLL Characteristics

File Characteristics

Imports

lnlutilityu

acloginu

lnlctlu

dataexchangeengineu

lnlcmnu

mfc90u

msvcr90

kernel32

user32

advapi32

msvcp90

rpcns4

rpcrt4

Exports

Exports

Sections

.text Size: 40KB - Virtual size: 39KB

.rdata Size: 35KB - Virtual size: 34KB

.data Size: 11KB - Virtual size: 12KB

.rsrc Size: 11KB - Virtual size: 11KB

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

68:39:1d:bc:21:90:5e:b8:0d:57:dc:81:89:ec:96:db
Certificate

1e:a4:96:73:52:fc:c0:d5:da:18:bb:2e:a0:91:0b:ac:3b:9e:31:cd
Signer

.text
Size: 40KB - Virtual size: 39KB

.rdata
Size: 35KB - Virtual size: 34KB

.data
Size: 11KB - Virtual size: 12KB

.rsrc
Size: 11KB - Virtual size: 11KB