NEAS[.]bfd1d4a2018fb0e6cf420a26937f7e30[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

NEAS.bfd1d4a2018fb0e6cf420a26937f7e30.exe
Size

691KB
MD5

bfd1d4a2018fb0e6cf420a26937f7e30
SHA1

e0f8be33fdaf7a68edb48e0e7e22175b3769cbb9
SHA256

9ef88129962666035d16a4f670aa22f4decdf2f5ca53819a0a6e38a7c1770b5a
SHA512

ba5db814de0e4b266422337f294c0b7069140e24b8f91cdc3468a8d31275c7c9d532321458c1aee20453028a154b5c9ab968822899452ce77cc41fe0edf1279f
SSDEEP

12288:0AUqQE3xjg4pwQjmoU2F4EI2CcKISPn88GNo2QpokKhICTqrQz1BjvrEH7F:0Ad7h1pQISPXNokxCuArEH7F

Score

1^/10

Malware Config

Signatures

Files

NEAS.bfd1d4a2018fb0e6cf420a26937f7e30.exe
.exe windows:5 windows x86

78edc38533ea104bad4f3bb7640012bf

Code Sign

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

28/01/2028, 12:00

Subject

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

11:21:d6:99:a7:64:97:3e:f1:f8:42:7e:e9:19:cc:53:41:14
Certificate

Issuer

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

24/05/2016, 00:00

Not After

24/06/2027, 00:00

Subject

CN=GlobalSign TSA for MS Authenticode - G2,O=GMO GlobalSign Pte Ltd,C=SG

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

78:0a:00:32:a6:ce:7d:0b:5d:54:52:f5:cd:e5:20:dc
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

16/06/2016, 00:00

Not After

14/07/2018, 23:59

Subject

CN=TAOBAO (CHINA) SOFTWARE CO.\,LTD.,OU=RDC,O=TAOBAO (CHINA) SOFTWARE CO.\,LTD.,L=Hangzhou,ST=Zhejiang,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:43:05:f9:f9:09:b2:48:81:d3:fe:25:21:ae:7e:d8
Certificate

Issuer

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

14/06/2016, 00:00

Not After

14/07/2018, 23:59

Subject

CN=TAOBAO (CHINA) SOFTWARE CO.\,LTD.,OU=RDC,O=TAOBAO (CHINA) SOFTWARE CO.\,LTD.,L=Hangzhou,ST=Zhejiang,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

10/12/2013, 00:00

Not After

09/12/2023, 23:59

Subject

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

11:21:06:f1:0f:ce:68:f0:9b:fa:e5:5b:18:cd:8f:20:01:77
Certificate

Issuer

CN=GlobalSign Timestamping CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

Not Before

24/05/2016, 00:00

Not After

24/06/2027, 00:00

Subject

CN=GlobalSign TSA for Advanced - G2,O=GMO GlobalSign Pte Ltd,C=SG

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

04:00:00:00:00:01:31:89:c6:50:04
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

02/08/2011, 10:00

Not After

29/03/2029, 10:00

Subject

CN=GlobalSign Timestamping CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

65:58:71:01:7b:25:b8:e0:97:71:ea:e4:ff:23:be:17:e2:9c:83:74:03:7b:b3:d4:8f:fe:73:c2:cd:32:20:01
Signer

Actual PE Digest

65:58:71:01:7b:25:b8:e0:97:71:ea:e4:ff:23:be:17:e2:9c:83:74:03:7b:b3:d4:8f:fe:73:c2:cd:32:20:01

Digest Algorithm

sha256

PE Digest Matches

false

60:5c:3b:2e:ae:6e:59:1c:34:de:4c:30:4f:eb:7e:b9:29:ff:2e:14
Signer

Actual PE Digest

60:5c:3b:2e:ae:6e:59:1c:34:de:4c:30:4f:eb:7e:b9:29:ff:2e:14

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

userenv

DestroyEnvironmentBlock
CreateEnvironmentBlock

wintrust

WinVerifyTrust

wtsapi32

WTSEnumerateSessionsW
WTSFreeMemory
WTSQueryUserToken

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

psapi

GetModuleFileNameExW

winmm

timeGetTime
timeBeginPeriod
timeEndPeriod

shlwapi

PathRemoveFileSpecW

advapi32

OpenServiceA
ReadEventLogA
OpenEventLogW
CloseEventLog
StartServiceW
StartServiceCtrlDispatcherW
SetServiceStatus
RegisterServiceCtrlHandlerW
QueryServiceStatus
QueryServiceConfigW
OpenServiceW
OpenSCManagerW
DeleteService
ConvertStringSecurityDescriptorToSecurityDescriptorW
CheckTokenMembership
SetNamedSecurityInfoW
GetNamedSecurityInfoW
SetEntriesInAclW
FreeSid
AllocateAndInitializeSid
SystemFunction036
RegCloseKey
RegCreateKeyExW
RegQueryValueExW
RegSetValueExW
RegOpenKeyExW
CreateProcessAsUserW
OpenProcessToken
AdjustTokenPrivileges
DuplicateTokenEx
GetTokenInformation
ImpersonateLoggedOnUser
RevertToSelf
SetTokenInformation
LookupPrivilegeValueW
ChangeServiceConfigW
ChangeServiceConfig2W
CloseServiceHandle
ControlService
CreateServiceW

kernel32

InitializeSListHead
OutputDebugStringW
RtlUnwind
LoadLibraryExW
GetFullPathNameW
SetStdHandle
GetFileType
GetConsoleCP
GetConsoleMode
ExitProcess
GetModuleFileNameA
GetCommandLineA
GetACP
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
WriteConsoleW
ReadConsoleW
IsValidCodePage
Sleep
GetCurrentProcessId
GetCurrentThreadId
LocalFree
GetProcAddress
LoadLibraryW
CreateFileW
ReadFile
WriteFile
CloseHandle
GetLastError
SetLastError
WaitNamedPipeW
GetCurrentProcess
TerminateProcess
OpenThread
ResumeThread
OpenProcess
GetEnvironmentVariableA
ExpandEnvironmentStringsW
ProcessIdToSessionId
WTSGetActiveConsoleSessionId
DuplicateHandle
SetDllDirectoryW
GetCommandLineW
CreateDirectoryW
GetVolumeInformationW
RemoveDirectoryW
GetTempPathW
GetFileAttributesW
UnmapViewOfFile
SetFileAttributesW
GetFileAttributesExW
DeleteFileW
GetCurrentDirectoryW
SetCurrentDirectoryW
MoveFileExW
CopyFileW
CreateFileMappingW
MapViewOfFile
WaitForSingleObject
GetOEMCP
SetHandleInformation
GetStdHandle
AssignProcessToJobObject
CreateProcessW
MultiByteToWideChar
WideCharToMultiByte
GetVersionExW
GetNativeSystemInfo
GetModuleHandleW
OutputDebugStringA
GetModuleFileNameW
FormatMessageA
GetTickCount
SetThreadPriority
GetCurrentThread
QueryPerformanceFrequency
GetThreadPriority
GetSystemTimeAsFileTime
QueryPerformanceCounter
EnterCriticalSection
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
DeleteCriticalSection
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
FreeLibrary
CreateEventW
IsDebuggerPresent
OpenFileMappingW
VirtualQuery
SetEvent
ResetEvent
GetUserDefaultLangID
GetFileSizeEx
SetEndOfFile
SetFilePointerEx
FlushFileBuffers
FindFirstFileW
FindFirstFileExW
FindNextFileW
FindClose
GetSystemDirectoryW
GetWindowsDirectoryW
RaiseException
CreateThread
SetEnvironmentVariableW
GetEnvironmentVariableW
TlsSetValue
TlsAlloc
TlsGetValue
TlsFree
GetQueuedCompletionStatus
PostQueuedCompletionStatus
CreateIoCompletionPort
GetModuleHandleExW
GetModuleHandleExA
GetSystemInfo
ReleaseMutex
CreateMutexW
CreateEventA
CreateFileMappingA
FindFirstVolumeW
FindNextVolumeW
FindVolumeClose
GetDriveTypeW
GetVolumePathNamesForVolumeNameW
DecodePointer
HeapDestroy
HeapAlloc
HeapReAlloc
HeapFree
HeapSize
GetProcessHeap
DeviceIoControl
GlobalAddAtomA
GlobalFindAtomA
CreateFileA
RtlCaptureContext
SetUnhandledExceptionFilter
SetErrorMode
GetTimeZoneInformation
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
FindFirstFileExA
GetStartupInfoW
IsProcessorFeaturePresent
UnhandledExceptionFilter
GetCPInfo
GetStringTypeW
GetLocaleInfoW
LCMapStringW
CompareStringW
EncodePointer
FindNextFileA
GetExitCodeProcess
GetUserDefaultUILanguage

gdi32

GetTextFaceW
SelectObject
DeleteObject
CreateFontW

shell32

SHGetFolderPathW
CommandLineToArgvW

ole32

CoUninitialize
CoInitializeEx
CoCreateInstance
CoTaskMemFree
CoSetProxyBlanket
CoInitialize
CoInitializeSecurity

oleaut32

VariantClear
VariantInit

user32

GetQueueStatus
CallMsgFilterW
MsgWaitForMultipleObjectsEx
PeekMessageW
SetTimer
DispatchMessageW
RegisterClassExW
WaitMessage
GetClassNameA
UnregisterClassW
CreateWindowExW
DestroyWindow
TranslateMessage
DefWindowProcW
GetDC
ReleaseDC
KillTimer
PostQuitMessage
CharUpperW
GetParent
PostMessageW

Exports

Exports

GetHandleVerifier

Sections

.text
Size: 486KB - Virtual size: 485KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 88KB - Virtual size: 88KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 1024B - Virtual size: 548B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 2B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 18KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

78edc38533ea104bad4f3bb7640012bf

Code Sign

04:00:00:00:00:01:2f:4e:e1:52:d7Certificate

Key Usages

11:21:d6:99:a7:64:97:3e:f1:f8:42:7e:e9:19:cc:53:41:14Certificate

Extended Key Usages

Key Usages

78:0a:00:32:a6:ce:7d:0b:5d:54:52:f5:cd:e5:20:dcCertificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

0d:43:05:f9:f9:09:b2:48:81:d3:fe:25:21:ae:7e:d8Certificate

Extended Key Usages

Key Usages

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2aCertificate

Extended Key Usages

Key Usages

11:21:06:f1:0f:ce:68:f0:9b:fa:e5:5b:18:cd:8f:20:01:77Certificate

Extended Key Usages

Key Usages

04:00:00:00:00:01:31:89:c6:50:04Certificate

Key Usages

65:58:71:01:7b:25:b8:e0:97:71:ea:e4:ff:23:be:17:e2:9c:83:74:03:7b:b3:d4:8f:fe:73:c2:cd:32:20:01Signer

60:5c:3b:2e:ae:6e:59:1c:34:de:4c:30:4f:eb:7e:b9:29:ff:2e:14Signer

Headers

DLL Characteristics

File Characteristics

Imports

userenv

wintrust

wtsapi32

version

psapi

winmm

shlwapi

advapi32

kernel32

gdi32

shell32

ole32

oleaut32

user32

Exports

Exports

Sections

.text Size: 486KB - Virtual size: 485KB

.rdata Size: 88KB - Virtual size: 88KB

.data Size: 4KB - Virtual size: 15KB

.gfids Size: 1024B - Virtual size: 548B

.tls Size: 512B - Virtual size: 2B

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 18KB - Virtual size: 18KB

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

11:21:d6:99:a7:64:97:3e:f1:f8:42:7e:e9:19:cc:53:41:14
Certificate

78:0a:00:32:a6:ce:7d:0b:5d:54:52:f5:cd:e5:20:dc
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

0d:43:05:f9:f9:09:b2:48:81:d3:fe:25:21:ae:7e:d8
Certificate

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

11:21:06:f1:0f:ce:68:f0:9b:fa:e5:5b:18:cd:8f:20:01:77
Certificate

04:00:00:00:00:01:31:89:c6:50:04
Certificate

65:58:71:01:7b:25:b8:e0:97:71:ea:e4:ff:23:be:17:e2:9c:83:74:03:7b:b3:d4:8f:fe:73:c2:cd:32:20:01
Signer

60:5c:3b:2e:ae:6e:59:1c:34:de:4c:30:4f:eb:7e:b9:29:ff:2e:14
Signer

.text
Size: 486KB - Virtual size: 485KB

.rdata
Size: 88KB - Virtual size: 88KB

.data
Size: 4KB - Virtual size: 15KB

.gfids
Size: 1024B - Virtual size: 548B

.tls
Size: 512B - Virtual size: 2B

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 18KB - Virtual size: 18KB