NEAS[.]85f9924fb26d924c4a10dc620ae2c350[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

NEAS.85f9924fb26d924c4a10dc620ae2c350.exe
Size

1.1MB
MD5

85f9924fb26d924c4a10dc620ae2c350
SHA1

d67569dec025abdd300e1d567a700cacf8614b7e
SHA256

52dc870426ef36851d5037eb244b156f66ce2d661e0378232e12f635ddfe3d1a
SHA512

ba7142e560fa4b664c509dcc02f6f31a9412f6ac0111c4e4ce14e171152080728254eb1312bf00911b1e6a5aaa25056d60924853bcc231b50dfadcf77ba873d8
SSDEEP

24576:mSboCF4e4F/t7ygxjRC5EPBY+3wheiy9lqLqB7nIGBzzcG/xJ:Re3xjzBDV9lqLunIGBzIGD

Score

1^/10

Malware Config

Signatures

Files

NEAS.85f9924fb26d924c4a10dc620ae2c350.exe
.exe windows:4 windows x86

dfbee31588174a107600a4ba90a9af7e

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

45:9f:81:c4:54:6f:de:fc:ff:2f:1a:11:05:a6:ef:bd
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

22/04/2009, 00:00

Not After

18/06/2012, 23:59

Subject

CN=Sonic Solutions,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Sonic Solutions,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

79:e6:b8:f8:7f:95:f8:5a:82:40:a1:76:cd:18:b7:80:c8:43:1f:5f
Signer

Actual PE Digest

79:e6:b8:f8:7f:95:f8:5a:82:40:a1:76:cd:18:b7:80:c8:43:1f:5f

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SetFileAttributesW
MoveFileW
DeleteFileW
GetTickCount
CopyFileW
FindClose
FindNextFileW
FindFirstFileW
GetCurrentThread
WideCharToMultiByte
GetFileAttributesExW
SetErrorMode
WaitForSingleObject
IsValidLocale
GetDateFormatW
GetTimeFormatW
SearchPathW
GetSystemTimeAsFileTime
GetCurrentProcessId
QueryPerformanceCounter
GetStartupInfoW
GetModuleHandleA
ExitProcess
GetProcessHeap
HeapSize
HeapReAlloc
HeapFree
HeapAlloc
HeapDestroy
GetVersionExA
GetFileAttributesW
DefineDosDeviceW
GetCurrentDirectoryW
LoadLibraryW
GetProcAddress
QueryDosDeviceW
SetEvent
lstrcmpW
GetCurrentProcess
CloseHandle
VirtualFree
LeaveCriticalSection
EnterCriticalSection
GetModuleFileNameW
GetModuleHandleW
LoadLibraryExW
FindResourceW
LoadResource
InterlockedExchange
SizeofResource
MultiByteToWideChar
FreeLibrary
GetSystemTime
InterlockedDecrement
lstrcpynW
IsBadReadPtr
LocalFree
InterlockedIncrement
lstrcmpiW
GetLastError
DeleteCriticalSection
InitializeCriticalSection
RaiseException
IsBadWritePtr
lstrcpyW
lstrlenW
GetVersionExW
FlushInstructionCache
VirtualAlloc
MulDiv
CreateEventW
CreateThread
GetCurrentThreadId
GlobalAlloc
GlobalLock
GlobalUnlock
lstrcatW
lstrlenA
GetThreadLocale
GetLocaleInfoA
GetACP
Sleep

user32

GetFocus
CharNextW
UnregisterClassW
LoadStringW
CharUpperW
SetWindowLongW
GetWindowLongW
DispatchMessageW
TranslateMessage
GetMessageW
PostThreadMessageW
MessageBoxW
DefWindowProcW
SetWindowTextW
GetWindowTextW
GetWindowTextLengthW
RegisterClassExW
LoadCursorW
GetClassInfoExW
RegisterWindowMessageW
KillTimer
GetSysColor
CharUpperBuffW
CharLowerBuffW
OpenClipboard
EmptyClipboard
ReleaseCapture
SetClipboardData
CloseClipboard
PeekMessageW
SetCursor
wsprintfW
CreateWindowExW
CreateAcceleratorTableW
SetTimer
GetParent
GetClassNameW
SetWindowPos
DestroyWindow
RedrawWindow
GetDlgItem
IsWindow
SendMessageW
DestroyAcceleratorTable
RegisterClipboardFormatW
IsChild
GetWindow
SetFocus
BeginPaint
EndPaint
CallWindowProcW
GetDesktopWindow
InvalidateRgn
InvalidateRect
ReleaseDC
GetDC
GetClientRect
FillRect
SetCapture

gdi32

SelectObject
DeleteDC
CreateCompatibleBitmap
CreateCompatibleDC
BitBlt
GetDeviceCaps
GetObjectW
GetStockObject
CreateSolidBrush
DeleteObject

advapi32

RegCloseKey
RegDeleteValueW
RegDeleteKeyW
RegOpenKeyExW
RegSetValueExW
RegQueryInfoKeyW
RegEnumKeyExW
RegQueryValueExW
SetServiceStatus
DeregisterEventSource
ReportEventW
RegisterEventSourceW
CloseServiceHandle
OpenServiceW
OpenSCManagerW
DeleteService
ControlService
ChangeServiceConfig2W
CreateServiceW
RegisterServiceCtrlHandlerW
StartServiceCtrlDispatcherW
OpenThreadToken
DuplicateTokenEx
RevertToSelf
ImpersonateLoggedOnUser
RegCreateKeyExW

shell32

SHGetSpecialFolderPathW

ole32

CoSetProxyBlanket
CoImpersonateClient
CoRevertToSelf
CoTaskMemAlloc
CoTaskMemFree
CoTaskMemRealloc
OleRun
CoCreateInstance
StringFromGUID2
CoCreateGuid
CoRevokeClassObject
CoRegisterClassObject
CoInitialize
CoSuspendClassObjects
CreateStreamOnHGlobal
CoDisconnectObject
CoMarshalInterface
OleInitialize
OleUninitialize
CoUninitialize
OleLockRunning
CoGetClassObject
CLSIDFromProgID
CLSIDFromString
CoInitializeSecurity
PropVariantClear

oleaut32

VariantTimeToSystemTime
GetErrorInfo
SafeArrayGetUBound
SafeArrayCreate
SafeArrayGetElement
SafeArrayRedim
OleCreateFontIndirect
RegisterTypeLi
UnRegisterTypeLi
SysAllocStringLen
DispCallFunc
SafeArrayDestroy
SafeArrayPutElement
SafeArrayCreateVector
SafeArrayAccessData
SafeArrayUnaccessData
VariantCopy
LoadTypeLi
LoadRegTypeLi
SystemTimeToVariantTime
VarUI4FromStr
VariantClear
VariantChangeType
VariantInit
SysStringLen
SysStringByteLen
SysAllocStringByteLen
SysAllocString
SysFreeString

shlwapi

SHStrDupW
PathFindExtensionW

msvcp71

??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
??0?$basic_ifstream@GU?$char_traits@G@std@@@std@@QAE@PBDHH@Z
??_D?$basic_ifstream@GU?$char_traits@G@std@@@std@@QAEXXZ
?close@?$basic_ifstream@GU?$char_traits@G@std@@@std@@QAEXXZ
?compare@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEHPBG@Z
??0?$basic_ofstream@GU?$char_traits@G@std@@@std@@QAE@PBDHH@Z
?close@?$basic_ofstream@GU?$char_traits@G@std@@@std@@QAEXXZ
??_D?$basic_ofstream@GU?$char_traits@G@std@@@std@@QAEXXZ
??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z
?eof@ios_base@std@@QBE_NXZ
?widen@?$basic_ios@GU?$char_traits@G@std@@@std@@QBEGD@Z
??$?6GU?$char_traits@G@std@@@std@@YAAAV?$basic_ostream@GU?$char_traits@G@std@@@0@AAV10@PBG@Z
?width@ios_base@std@@QBEHXZ
?flags@ios_base@std@@QBEHXZ
?fill@?$basic_ios@GU?$char_traits@G@std@@@std@@QBEGXZ
?sputc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QAEGG@Z
??A?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEABGI@Z
?width@ios_base@std@@QAEHH@Z
?to_int_type@?$char_traits@G@std@@SAGABG@Z
?sgetc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QAEGXZ
?eof@?$char_traits@G@std@@SAGXZ
?eq_int_type@?$char_traits@G@std@@SA_NABG0@Z
?sbumpc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QAEGXZ
?max_size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ
?to_char_type@?$char_traits@G@std@@SAGABG@Z
??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@G@Z
?snextc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QAEGXZ
?setstate@?$basic_ios@GU?$char_traits@G@std@@@std@@QAEXH_N@Z
?_Ipfx@?$basic_istream@GU?$char_traits@G@std@@@std@@QAE_N_N@Z
?uncaught_exception@std@@YA_NXZ
?_Osfx@?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEXXZ
?good@ios_base@std@@QBE_NXZ
?tie@?$basic_ios@GU?$char_traits@G@std@@@std@@QBEPAV?$basic_ostream@GU?$char_traits@G@std@@@2@XZ
?flush@?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV12@XZ
??A?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAGI@Z
?_Lock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QAEXXZ
?rdbuf@?$basic_ios@GU?$char_traits@G@std@@@std@@QBEPAV?$basic_streambuf@GU?$char_traits@G@std@@@2@XZ
?_Nomemory@std@@YAXXZ
?_Unlock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QAEXXZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
?data@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ
?insert@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IPBG@Z
?erase@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@II@Z
?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB
??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ
?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBG@Z
??$?MDU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ
?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBGI@Z
?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ
??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z
??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z
??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z
?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z
?rfind@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z
?compare@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEHIIABV12@@Z
?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ
?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z

cpscommontools10

?Compose@CMGIShellNameSplitter@@QAEPBGK@Z
??0CMGIShellNameSplitter@@QAE@PBGK@Z
?MGIRegisterCrashHandler@@YAXPAG@Z
?GetProtocol@CMGIShellNameSplitter@@QAEPBGXZ
?GetExtension@CMGIShellNameSplitter@@QAEPBGXZ
??1CMGILock@@QAE@XZ
??0CMGILock@@QAE@PAVCMGISyncObject@@K@Z
??1CMGICriticalSection@@UAE@XZ
??_7CMGICriticalSection@@6B@
??_7CMGISyncObject@@6B@
?Split@CMGIShellNameSplitter@@QAEHPBGK@Z
?GetPath@CMGIShellNameSplitter@@QAEPBGXZ
?SetProtocol@CMGIShellNameSplitter@@QAEXPBG@Z
?GetFileName@CMGIShellNameSplitter@@QAEPBGXZ
??1CMGIShellNameSplitter@@UAE@XZ

msvcr71

_wgetcwd
_wchdir
_ltoa
_controlfp
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__wgetmainargs
malloc
free
_CxxThrowException
memset
_except_handler3
??3@YAXPAX@Z
memcpy
??_V@YAXPAX@Z
??1exception@@UAE@XZ
??0exception@@QAE@XZ
__CxxFrameHandler
_purecall
realloc
??0exception@@QAE@ABV0@@Z
memcmp
_ltow
wcsstr
swprintf
wcsncpy
_wcslwr
memmove
_resetstkoflw
_putws
vswprintf
wcsncmp
_vsnwprintf
setlocale
wcslen
wcstok
_amsg_exit
_wcmdln
exit
_cexit
_XcptFilter
_exit
_c_exit
_onexit
__dllonexit
?terminate@@YAXXZ
??1type_info@@UAE@XZ
__security_error_handler
_callnewh
wcscmp
strcpy
strchr
strlen
atof
_wcsnicmp
_wcsicmp
_strnicmp
wcschr
wcscpy
_wtol

msi

ord129
ord141

wininet

InternetCanonicalizeUrlW

Sections

.text
Size: 740KB - Virtual size: 737KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 232KB - Virtual size: 228KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 104KB - Virtual size: 100KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

dfbee31588174a107600a4ba90a9af7e

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2Certificate

Extended Key Usages

Key Usages

45:9f:81:c4:54:6f:de:fc:ff:2f:1a:11:05:a6:ef:bdCertificate

Extended Key Usages

Key Usages

61:0c:12:06:00:00:00:00:00:1bCertificate

Key Usages

79:e6:b8:f8:7f:95:f8:5a:82:40:a1:76:cd:18:b7:80:c8:43:1f:5fSigner

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

shlwapi

msvcp71

cpscommontools10

msvcr71

msi

wininet

Sections

.text Size: 740KB - Virtual size: 737KB

.rdata Size: 232KB - Virtual size: 228KB

.data Size: 8KB - Virtual size: 7KB

.rsrc Size: 104KB - Virtual size: 100KB

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

45:9f:81:c4:54:6f:de:fc:ff:2f:1a:11:05:a6:ef:bd
Certificate

61:0c:12:06:00:00:00:00:00:1b
Certificate

79:e6:b8:f8:7f:95:f8:5a:82:40:a1:76:cd:18:b7:80:c8:43:1f:5f
Signer

.text
Size: 740KB - Virtual size: 737KB

.rdata
Size: 232KB - Virtual size: 228KB

.data
Size: 8KB - Virtual size: 7KB

.rsrc
Size: 104KB - Virtual size: 100KB