NEAS[.]868a9f39e14d2dd05e6ce33239fc1440[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

NEAS.868a9f39e14d2dd05e6ce33239fc1440.exe
Size

1.1MB
MD5

868a9f39e14d2dd05e6ce33239fc1440
SHA1

99afb45330a7d48281a0eddf6e30933fb11775ea
SHA256

ef42023eee6a326542f38dd49bc0c0d14b5ff39a6f0d67595c4dac34a54847b3
SHA512

e2dc1d73992e1a0d6da9d46d8b2b4807d8b07d45e3d09e826b055c4847045c59bae38092dfa6177ec66b0c04ef1d3bf75bbd6236824000f7bac7ec0bb1a597a9
SSDEEP

12288:NJgjBjgwsxFa9hxDpM3K6mBA2fCAp5FSI0RuQg8Y01cWiyYJFej/A/XNBNjsg9QF:pejnafPuQg8Y01cWi9JFt/rGgaGBVBP

Score

1^/10

Malware Config

Signatures

Files

NEAS.868a9f39e14d2dd05e6ce33239fc1440.exe
.exe windows:6 windows x86

988de56d3f1411e7be591f15aa5364f0

Code Sign

33:00:00:00:62:41:2f:c7:4d:8a:ae:13:26:00:00:00:00:00:62
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

10/02/2015, 18:33

Not After

10/05/2016, 18:33

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:C0F4-3086-DEF8,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:00:ca:6c:d5:32:12:35:c4:e1:55:00:01:00:00:00:ca
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/04/2014, 17:39

Not After

22/07/2015, 17:39

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:38:8d:23:6d:16:27:a3:26:e0:00:00:00:00:00:38
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

01/10/2014, 18:11

Not After

01/01/2016, 18:11

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

b5:52:3d:da:53:73:83:2c:cc:0e:46:bd:60:47:4c:0c:03:5e:45:75:6c:3e:c4:41:6e:41:2c:b3:99:54:66:8d
Signer

Actual PE Digest

b5:52:3d:da:53:73:83:2c:cc:0e:46:bd:60:47:4c:0c:03:5e:45:75:6c:3e:c4:41:6e:41:2c:b3:99:54:66:8d

Digest Algorithm

sha256

PE Digest Matches

true

3c:6b:fb:17:f7:bd:4f:0f:58:92:82:e4:cb:fe:ec:37:95:b8:ea:aa
Signer

Actual PE Digest

3c:6b:fb:17:f7:bd:4f:0f:58:92:82:e4:cb:fe:ec:37:95:b8:ea:aa

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

StartServiceCtrlDispatcherW
RegisterTraceGuidsW
EnableTrace
ControlTraceW
UnregisterTraceGuids
GetTraceLoggerHandle
GetTraceEnableFlags
GetTraceEnableLevel
TraceEvent
GetSecurityInfo
EqualSid
RegConnectRegistryW
InitializeSecurityDescriptor
AllocateAndInitializeSid
InitializeAcl
AddAccessAllowedAce
SetSecurityDescriptorDacl
FreeSid
RegisterEventSourceW
ReportEventW
DeregisterEventSource
LookupAccountSidW
LogonUserW
CheckTokenMembership
CreateWellKnownSid
ImpersonateSelf
RegOpenKeyExW
RegQueryValueExW
RegCloseKey
LookupPrivilegeValueW
AdjustTokenPrivileges
OpenProcessToken
GetTokenInformation
GetLengthSid
OpenThreadToken
RevertToSelf
SetThreadToken
StartTraceW

kernel32

ReleaseMutex
OpenMutexW
LocalFree
GetComputerNameW
GetTimeZoneInformation
GetSystemDefaultUILanguage
GetNativeSystemInfo
FindClose
FindNextFileW
FindFirstFileW
GetTempPathW
LocalAlloc
GetLocaleInfoW
CompareStringW
SetEndOfFile
SetFilePointerEx
GetDiskFreeSpaceW
GetVolumePathNameW
SystemTimeToFileTime
HeapCreate
ReadProcessMemory
SetHandleInformation
GetExitCodeProcess
CreateProcessW
GetStartupInfoW
InterlockedIncrement
InterlockedDecrement
TlsAlloc
TlsGetValue
TlsSetValue
CreateSemaphoreW
ReleaseSemaphore
SetConsoleCtrlHandler
GetCommandLineW
QueryPerformanceCounter
LoadLibraryW
GetLastError
GetProcAddress
FreeLibrary
Sleep
MapViewOfFile
InterlockedExchange
InterlockedCompareExchange
SetUnhandledExceptionFilter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
IsDebuggerPresent
HeapFree
GetProcessHeap
GetModuleHandleW
GetModuleFileNameW
TlsFree
SetEvent
CreateEventW
CloseHandle
DuplicateHandle
OpenThread
GetThreadTimes
WaitForSingleObjectEx
GetThreadLocale
ResetEvent
HeapAlloc
DeleteFiber
RaiseException
VirtualQueryEx
GetVersionExW
VirtualQuery
GetCurrentThread
GetProcessTimes
SetThreadAffinityMask
GetSystemInfo
VirtualFree
DebugBreak
VirtualAlloc
GlobalMemoryStatusEx
CreateMutexW
SuspendThread
SetThreadPriority
GetThreadPriority
ExitProcess
WaitForSingleObject
SwitchToThread
VirtualProtect
MapViewOfFileEx
UnmapViewOfFile
PostQueuedCompletionStatus
CreateIoCompletionPort
SetThreadLocale
CreateFileMappingW
OpenFileMappingW
GetOverlappedResult
WaitForMultipleObjects
SetProcessWorkingSetSize
GetModuleHandleA
InterlockedPushEntrySList
InterlockedPopEntrySList
InitializeSListHead
SwitchToFiber
SignalObjectAndWait
InterlockedFlushSList
QueryDepthSList
CreateFiber
ConvertThreadToFiber
GetQueuedCompletionStatus
ResumeThread
SetThreadIdealProcessor
GetProcessAffinityMask
OutputDebugStringA
GetLocalTime
QueryPerformanceFrequency
SetLastError
OutputDebugStringW
LoadLibraryA
GetSystemDirectoryA
MultiByteToWideChar
FileTimeToSystemTime
GetComputerNameA
GetComputerNameExW
WriteFile
GetSystemTime
DeleteFileW
GetEnvironmentVariableW
CreateFileW
IsWow64Process

msvcr80

_snwprintf_s_l
wcsrchr
_invalid_parameter_noinfo
??1exception@std@@UAE@XZ
??0exception@std@@QAE@ABQBD@Z
?what@exception@std@@UBEPBDXZ
??0exception@std@@QAE@XZ
_vsnwprintf
wcsncmp
_vsnwprintf_s
??0exception@std@@QAE@ABV01@@Z
wcspbrk
_findclose
_wfindnext64i32
_wfindfirst64i32
_localtime64_s
wcsstr
_itow
_wcsupr_l
strncmp
wcschr
strcat_s
_sprintf_s_l
_strtoul_l
free
calloc
strcpy_s
_strnicmp_l
_stricmp_l
strchr
wcsncpy_s
_wcsicmp
_wcsnicmp_l
memcpy_s
_isctype_l
__pctype_func
srand
_time64
strncpy_s
_wmakepath_s
_beginthreadex
rand
?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z
_CIsqrt
_vsnprintf_l
malloc
_resetstkoflw
_set_invalid_parameter_handler
?_set_se_translator@@YAP6AXIPAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z
?set_terminate@@YAP6AXXZP6AXXZ@Z
?set_unexpected@@YAP6AXXZP6AXXZ@Z
_wcsicmp_l
_printf_l
_vsnwprintf_l
_clearfp
_fpreset
_controlfp
wcscpy_s
_wsplitpath_s
_CxxThrowException
__set_app_type
_unlock
__dllonexit
_lock
_onexit
_decode_pointer
?terminate@@YAXXZ
_except_handler4_common
_invoke_watson
_controlfp_s
_crt_debugger_hook
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_purecall
__CxxFrameHandler3
_wcslwr
wprintf
_endthread
_wtoi
_wcsnicmp
memcpy
memset
_amsg_exit
__getmainargs
_cexit
_exit
_XcptFilter
exit
_wfullpath
_wtoi64_l
_iswprint_l
swprintf_s
wcslen
__initenv
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
_encode_pointer

ws2_32

ntohs
WSAGetLastError
WSAStringToAddressW
inet_addr
gethostbyname
inet_ntoa
htonl
getservbyname
htons
gethostbyaddr
getservbyport
WSASetLastError
getnameinfo
WSACleanup
WSAStartup

msvcp80

??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@F@Z
?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH@Z
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PADH@Z
?seekpos@strstreambuf@std@@MAE?AV?$fpos@H@2@V32@H@Z
?seekoff@strstreambuf@std@@MAE?AV?$fpos@H@2@JHH@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHPBDH@Z
?_Xsgetn_s@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHPADIH@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHPADH@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
?pbackfail@strstreambuf@std@@MAEHH@Z
??0strstreambuf@std@@QAE@PADH0@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD0@Z
??1strstreambuf@std@@UAE@XZ
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?exceptions@ios_base@std@@QAEXH@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE@XZ
?length@?$char_traits@D@std@@SAIPBD@Z
?width@ios_base@std@@QBEHXZ
?flags@ios_base@std@@QBEHXZ
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z
?eof@?$char_traits@D@std@@SAHXZ
?eq_int_type@?$char_traits@D@std@@SA_NABH0@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHPBDH@Z
?width@ios_base@std@@QAEHH@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ
?good@ios_base@std@@QBE_NXZ
?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEXXZ
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PBX@Z
?uncaught_exception@std@@YA_NXZ

sqlrsos

GetTlsSlotInfo

shlwapi

PathFindExtensionW
PathRemoveExtensionW
PathAddExtensionW
PathFindFileNameW
PathRenameExtensionW
PathCanonicalizeW
PathAppendW
PathRemoveFileSpecW
PathFileExistsW
PathCombineW
PathRemoveBackslashW

user32

CharLowerBuffW

winmm

timeGetDevCaps
timeBeginPeriod
timeEndPeriod

rpcrt4

UuidCreate

iphlpapi

GetAdaptersAddresses

Exports

Exports

AlterXESessions
DmpGetClientExport
DmpRemoteDumpRequest
XEGetAPI
_CreateILockBytesOnSOSMemory@4
_CreateNativeLoggingObject@4
_GetDefaultTraceLevel@4
_GetNativeLoggingTraceDirectory@4
_GetNativeLoggingTracePath@4
_GetNativeTraceLevel@12
_IsGcInProgress@0
_IsManagedDebuggerAttached@0
_NativeLoggingTrace@28
_ReleaseNativeLoggingObject@4
_RsDump@4
_RsDumpAddMemory@8
_RsDumpDump@0
_RsDumpSetErrorAddress@4
_RsDumpSetErrorDetails@4
_RsDumpSetErrorSignature@4
_RsDumpSetErrorText@4
_RsDumpSetLogFile@4

Sections

.text
Size: 1019KB - Virtual size: 1019KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 46KB - Virtual size: 257KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

AssertDa
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

CONSTSEC
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.sdbid
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 75KB - Virtual size: 74KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

988de56d3f1411e7be591f15aa5364f0

Code Sign

33:00:00:00:62:41:2f:c7:4d:8a:ae:13:26:00:00:00:00:00:62Certificate

Extended Key Usages

33:00:00:00:ca:6c:d5:32:12:35:c4:e1:55:00:01:00:00:00:caCertificate

Extended Key Usages

61:33:26:1a:00:00:00:00:00:31Certificate

Key Usages

61:16:68:34:00:00:00:00:00:1cCertificate

Extended Key Usages

Key Usages

33:00:00:00:38:8d:23:6d:16:27:a3:26:e0:00:00:00:00:00:38Certificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

b5:52:3d:da:53:73:83:2c:cc:0e:46:bd:60:47:4c:0c:03:5e:45:75:6c:3e:c4:41:6e:41:2c:b3:99:54:66:8dSigner

3c:6b:fb:17:f7:bd:4f:0f:58:92:82:e4:cb:fe:ec:37:95:b8:ea:aaSigner

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

msvcr80

ws2_32

msvcp80

sqlrsos

shlwapi

user32

winmm

rpcrt4

iphlpapi

Exports

Exports

Sections

.text Size: 1019KB - Virtual size: 1019KB

.data Size: 46KB - Virtual size: 257KB

AssertDa Size: 2KB - Virtual size: 2KB

CONSTSEC Size: 512B - Virtual size: 8B

.sdbid Size: 2KB - Virtual size: 1KB

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 75KB - Virtual size: 74KB

33:00:00:00:62:41:2f:c7:4d:8a:ae:13:26:00:00:00:00:00:62
Certificate

33:00:00:00:ca:6c:d5:32:12:35:c4:e1:55:00:01:00:00:00:ca
Certificate

61:33:26:1a:00:00:00:00:00:31
Certificate

61:16:68:34:00:00:00:00:00:1c
Certificate

33:00:00:00:38:8d:23:6d:16:27:a3:26:e0:00:00:00:00:00:38
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

b5:52:3d:da:53:73:83:2c:cc:0e:46:bd:60:47:4c:0c:03:5e:45:75:6c:3e:c4:41:6e:41:2c:b3:99:54:66:8d
Signer

3c:6b:fb:17:f7:bd:4f:0f:58:92:82:e4:cb:fe:ec:37:95:b8:ea:aa
Signer

.text
Size: 1019KB - Virtual size: 1019KB

.data
Size: 46KB - Virtual size: 257KB

AssertDa
Size: 2KB - Virtual size: 2KB

CONSTSEC
Size: 512B - Virtual size: 8B

.sdbid
Size: 2KB - Virtual size: 1KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 75KB - Virtual size: 74KB