a380b18874e8a4d1b407855aff3161c0_NEIKI

Sharing

Copy URL Twitter E-mail

General

Target

a380b18874e8a4d1b407855aff3161c0_NEIKI
Size

246KB
MD5

a380b18874e8a4d1b407855aff3161c0
SHA1

a9042245c2a3127bcdf0b691bf9fb634509ac876
SHA256

2fa96000da68cccb54bb0721f4d60b99984654ba84b4264f0dc78615a1722b56
SHA512

cbd4dcfc66b32c07061122fb0bbd6047b9d2a45549e3c4a8076b1a6d38721ca022b9a7ac1277ab35bfa0f7b6ec74bcfe31524d1fb123ff1f3f59886269c600d7
SSDEEP

3072:9/VA2aBAHhgk/TVUIbU+Nsmzr2nETqtDC+J9wG:NVA2achJJxKnjC+JW

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
a380b18874e8a4d1b407855aff3161c0_NEIKI

Files

a380b18874e8a4d1b407855aff3161c0_NEIKI
.exe windows:1 windows x86 arch:x86

1063b51ee1423e77c4945268a53a6fb4

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Imports

c5dosx

DOS

c5runx

Cla$ACCEPTED
Cla$ADDqueue
Cla$ALERT
Cla$ALIAS
Cla$ASK
Cla$BEEP
Cla$BindG
Cla$CLEAR
Cla$ClearDec
Cla$clearstr
Cla$ClearType
Cla$CLOCK
Cla$CLOSEwindow
Cla$code
Cla$COMMAND
Cla$comparestr
Cla$DDEclient
Cla$DDEserver
Cla$DecAdd
Cla$DecCompareN
Cla$DecDistinct
Cla$DecDistinctR
Cla$DecDivide
Cla$DELETEqueue
Cla$DISPLAY
Cla$DPopDec
Cla$DPopLong
Cla$DPopUlong
Cla$DPushDec
Cla$DPushLong
Cla$DPushULong
Cla$EndEventLoop
Cla$EndEventLoops
Cla$ERRCODE
Cla$EVENT
Cla$FIELD
Cla$FILEERRORCODE
Cla$FILEERRORMSG
Cla$FileExists
Cla$FILE_ADDf
Cla$FILE_ADDfu
Cla$FILE_BUILDf
Cla$FILE_CLOSE
Cla$FILE_CREATE
Cla$FILE_GET_PROPERTY
Cla$FILE_NAME
Cla$FILE_NEXT
Cla$FILE_OPEN
Cla$FILE_RECORDSf
Cla$FILE_SETf
Cla$FILE_SET_PROPERTY
Cla$FILE_SHARE
Cla$FIRSTFIELD
Cla$FOCUS
Cla$FREEqueue
Cla$FREEqueuea
Cla$freestr
Cla$FreeUfo
Cla$freewindow
Cla$GETINI
Cla$GetPropS
Cla$GETqueueptr
Cla$Group2Ufo
Cla$HALT
Cla$init
Cla$KEYBOARD
Cla$KEYCODE
Cla$loaddec
Cla$LOCKTHREAD
Cla$Mem2Ufo
Cla$MessageBox
Cla$OPENwindow
Cla$paopen
Cla$PopBind
Cla$PopCString
Cla$PopString
Cla$PopTemp
Cla$POST
Cla$PRESSKEY
Cla$PushBind2
Cla$PushCString
Cla$PushLong
Cla$PushPictLong
Cla$PushReal
Cla$PushString
Cla$PUTINI
Cla$pwopen
Cla$RECORDSqueue
Cla$RegisterSwapQS
Cla$ROLLBACK
Cla$RUN
Cla$SELECT
Cla$seterror
Cla$SETKEYCODE
Cla$SetPropS
Cla$SetPropV
Cla$SETTARGET
Cla$Stack2DStack
Cla$StackALL
Cla$StackCLIP
Cla$StackCompare
Cla$StackCompareN
Cla$StackConcat
Cla$StackConcatR
Cla$StackErrstr
Cla$StackFORMAT2
Cla$StackINSTRING
Cla$StackLEFT
Cla$StackLen
Cla$StackRotate
Cla$StackUPPER
Cla$START
Cla$START3
Cla$StartEventLoop
Cla$StashBP
Cla$STATUSfile
Cla$storestr
Cla$THREAD
Cla$TODAY
Cla$UnbindV
Cla$UNLOCKTHREAD
Cla$YIELD
Wsl$CloseDown
_exit
_free
_longjmp
_malloc
_memset
_setjmp
__checkversion
__sysinit

c5tpsx

TOPSPEED

cab_sec

$UserName_
$UserNo_
CAB:PASSWORDHASEXPIRED@FUcUc15LOGONPARAMETERS
LOGON_@F15LOGONPARAMETERSl

compeng

WS:CE:COMPENGINE@FUc
WS:POS:DATA:INITIALIZE@F

dataglob

$FrameGroup
$GLO:LoggedOn
$GLO:Logoff
$GLO:WindowHandle
$PasswordEncryptionMask

instrwin

EXITPROC@FOUc
WINDSS_MAIN2@F

iswutils

LAUNCHSYSTEMDOC@FUcUssb

isw_dct

$GlobalRequest
$GlobalResponse
$REGMST
$REGMST::Used
$SYSMST
$TRANSITIONS
$TRANSITIONS::Used
EMPMST$EMP:RECORD
EMPMST$TYPE$EMP:RECORD
PINGSQLSERVER@F
REGMST$REG:RECORD
REGMST$TYPE$REG:RECORD
SETSQLOWNER@FOUcOsbOsb
SQLSERVERSTATE@F
SYSMST$SYS:RECORD
SYSMST$TYPE$SYS:RECORD
TRANSITIONS$TRA:RECORD
TRANSITIONS$TYPE$TRA:RECORD

jc1dll

$Ini
ASK@F12JCPOPUPCLASS
ASSIGNBUTTONSIZE@F12JCPOPUPCLASS
CONSTRUCT@F11JCAFORMEXIT
CONSTRUCT@F7JCAUTIL
CREATEBUTTONS@F12JCPOPUPCLASS
CREATEPOPUP@F12JCPOPUPCLASSSBSBLL
DECLAREWINDOW@F12JCPOPUPCLASS
DESTRUCT@F11JCAFORMEXIT
DESTRUCT@F7JCAUTIL
GETCONTROLINFO@F12JCPOPUPCLASS
GETWINPROPERTIES@F12JCPOPUPCLASS
HANDLEACCEPTED@F12JCPOPUPCLASS
HANDLEALERTKEYS@F12JCPOPUPCLASS
INIT@F12JCPOPUPCLASS6UDT002
INIT@F9BASECLASS
INITNOESCBUTTON@F12JCPOPUPCLASS6UDT002
KILL@F12JCPOPUPCLASS
KILL@F9BASECLASS
MONITOREVENTS@F6JCUTIL
SETALERTKEYS@F12JCPOPUPCLASS
SETBORDER@F12JCPOPUPCLASS
SETINITIALCONTROL@F12JCPOPUPCLASS
SETWINDOWPOS@F12JCPOPUPCLASS
SETWINDOWSTYLE@F12JCPOPUPCLASS

jdarun32

$GLO:Resize

jdatm

TMPOST
TMQUERY

kernel32

CloseHandle
CreateMutexA
ExitProcess
GetLastError
Sleep

pbrowse

$GLO:EILActive
$TC:BRW:ExtVScrollDef
$TC:BRW:ForceVScrollDef

pdtr5x

MERGESTRING@FsbsbOsbOsbOsb
TRANSLATE@FBw
TRANSLATESTRING@FsbOUc

rndcur

BUILDRNDCURQ@F

trace32

TRACE:TRACE@FsbsbOsb

wsdevice

WS:POS:DEV@FOs
WS:POS:DEVICE:CLOSEDEVICES@FOUc
WS:POS:DEVICE:OPENDEVICES@FOUc
WS:POS:DEVICE:POLLFORSCANNERDATA@Fl

wsdevutl

$DevUtl:lScannerPort
$DevUtl:ScannerReceiveThread

wsopt

GETOPTION@FsbsbOsbOsb

wspath

WS:PATH:INIT@FOsbOUc

Sections

.text
Size: 32KB - Virtual size: 31KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.bss
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 191KB - Virtual size: 191KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

1063b51ee1423e77c4945268a53a6fb4

Headers

File Characteristics

Imports

c5dosx

c5runx

c5tpsx

cab_sec

compeng

dataglob

instrwin

iswutils

isw_dct

jc1dll

jdarun32

jdatm

kernel32

pbrowse

pdtr5x

rndcur

trace32

wsdevice

wsdevutl

wsopt

wspath

Sections

.text Size: 32KB - Virtual size: 31KB

.bss Size: 3KB - Virtual size: 2KB

.data Size: 9KB - Virtual size: 9KB

.idata Size: 7KB - Virtual size: 7KB

.rsrc Size: 191KB - Virtual size: 191KB

.reloc Size: 5KB - Virtual size: 4KB

.text
Size: 32KB - Virtual size: 31KB

.bss
Size: 3KB - Virtual size: 2KB

.data
Size: 9KB - Virtual size: 9KB

.idata
Size: 7KB - Virtual size: 7KB

.rsrc
Size: 191KB - Virtual size: 191KB

.reloc
Size: 5KB - Virtual size: 4KB