e38a5961b9c2a043010258495cf557d0_NeikiAnalytics

Sharing

Copy URL Twitter E-mail

General

Target

e38a5961b9c2a043010258495cf557d0_NeikiAnalytics
Size

4.1MB
MD5

e38a5961b9c2a043010258495cf557d0
SHA1

887aa2eee0fd74701118f334837613f38637af20
SHA256

fdf61b7dcbfa6d0cde018ac377e3a1e1fd40cb2e2940518ee79c7d7df234c8d0
SHA512

1075b83289ac3147de7b834ddab2cbeb1af1c0f4516c31fbe9de3795893c064b5d1d58cf837f668263141af243610f8cc0ea02dbe1244d37577aa8315f190fc9
SSDEEP

98304:Jo0MVLA7cGsTyTvbZUI+/FXvzJ5sWdQuSTPROe/4c:J0C4uvlUI+JzJuWauSTJ

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
sample	vmprotect

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
e38a5961b9c2a043010258495cf557d0_NeikiAnalytics

Files

e38a5961b9c2a043010258495cf557d0_NeikiAnalytics
.dll windows:6 windows x86 arch:x86

19472bce2030b8f684d684f4cdbee6e1

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

HeapFree
OpenThread
SuspendThread
ResumeThread
GetThreadContext
SetThreadContext
FlushInstructionCache
VirtualProtect
GetModuleHandleW
CreateToolhelp32Snapshot
Thread32First
Thread32Next
CreateEventA
ExitProcess
GetCurrentProcess
FlushFileBuffers
K32GetProcessImageFileNameA
SetConsoleTextAttribute
GetConsoleScreenBufferInfo
WriteConsoleA
GetConsoleMode
GetDynamicTimeZoneInformation
WaitForSingleObject
AreFileApisANSI
FindFirstFileA
HeapReAlloc
RemoveDirectoryW
GetFileInformationByHandle
GetFileAttributesExW
FindNextFileW
FindFirstFileExW
FindClose
DeleteFileW
LocalFree
GetSystemTimeAsFileTime
IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
HeapAlloc
HeapCreate
VirtualQuery
GetModuleFileNameA
CreateFileA
GetCurrentProcessId
PeekNamedPipe
CloseHandle
WriteFile
ReadFile
CreateFileW
IsBadReadPtr
GetModuleHandleA
VirtualFree
VirtualAlloc
GlobalMemoryStatusEx
Sleep
GetLastError
GetVolumeInformationA
InitializeSListHead
CreateEventW
ResetEvent
FreeLibraryAndExitThread
DisableThreadLibraryCalls
GetWindowsDirectoryA
VirtualProtectEx
GetCurrentThreadId
SetEvent
InitializeCriticalSectionAndSpinCount
GetCurrentThread
GetFileSizeEx
WaitForMultipleObjects
GetFileType
GetStdHandle
WaitForSingleObjectEx
GetTickCount
ExpandEnvironmentStringsA
LoadLibraryW
FreeLibrary
GetSystemDirectoryW
SleepEx
DeleteCriticalSection
InitializeCriticalSectionEx
LeaveCriticalSection
EnterCriticalSection
FormatMessageA
SetLastError
CreateThread
VerifyVersionInfoW
LoadLibraryA
GetProcAddress
QueryPerformanceFrequency
QueryPerformanceCounter
VerSetConditionMask
WideCharToMultiByte
MultiByteToWideChar
GlobalFree
GlobalLock
GlobalUnlock
GlobalAlloc
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

user32

GetForegroundWindow
UnregisterClassA
GetClientRect
SetCursorPos
SetCursor
GetCursorPos
ClientToScreen
ScreenToClient
LoadCursorA
IsChild
keybd_event
mouse_event
SendInput
MapVirtualKeyA
GetSystemMetrics
MessageBoxA
FindWindowExA
GetMessageA
TranslateMessage
DispatchMessageA
SendMessageA
DefWindowProcA
PostQuitMessage
RegisterClassExA
CreateWindowExA
DestroyWindow
ShowWindow
SetWindowPos
SetFocus
UpdateWindow
GetWindowTextA
EmptyClipboard
GetClipboardData
SetClipboardData
CloseClipboard
OpenClipboard
GetWindowRect
GetKeyState
GetProcessWindowStation
GetUserObjectInformationW

gdi32

SetTextColor
CreateFontA
GetStockObject
SetBkColor

advapi32

CryptImportKey
CryptDestroyKey
CryptGenRandom
CryptAcquireContextW
GetUserNameA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegGetValueA
CryptAcquireContextA
CryptReleaseContext
CryptGetHashParam
RegSetValueExA
RegCreateKeyExA
CryptEncrypt
CryptDestroyHash
CryptHashData
CryptCreateHash

imm32

ImmReleaseContext
ImmSetCompositionWindow
ImmGetContext

d3dcompiler_47

D3DCompile

msvcp140

?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@G@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@M@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UAE@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ
?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Xbad_function_call@std@@YAXXZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z
_Xtime_get_ticks
_Thrd_join
_Thrd_id
_Cnd_destroy_in_situ
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@AAN@Z
?__ExceptionPtrCreate@@YAXPAX@Z
?__ExceptionPtrDestroy@@YAXPAX@Z
?__ExceptionPtrCopy@@YAXPAXPBX@Z
?__ExceptionPtrAssign@@YAXPAXPBX@Z
?__ExceptionPtrToBool@@YA_NPBX@Z
?__ExceptionPtrCurrentException@@YAXPAX@Z
?__ExceptionPtrRethrow@@YAXPBX@Z
?_XGetLastError@std@@YAXXZ
?setf@ios_base@std@@QAEHHH@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEDD@Z
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
_Mtx_trylock
?set_new_handler@std@@YAP6AXXZP6AXXZ@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@N@Z
?uncaught_exception@std@@YA_NXZ
??Bid@locale@std@@QAEIXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z
??0_Lockit@std@@QAE@H@Z
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ
?always_noconv@codecvt_base@std@@QBE_NXZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ
?_Getcvt@_Locinfo@std@@QBE?AU_Cvtvec@@XZ
?_Throw_Cpp_error@std@@YAXH@Z
?_Throw_C_error@std@@YAXH@Z
_Cnd_do_broadcast_at_thread_exit
_Mtx_unlock
_Mtx_lock
_Mtx_destroy_in_situ
_Mtx_init_in_situ
_Thrd_detach
?_Winerror_map@std@@YAHH@Z
?id@?$numpunct@D@std@@2V0locale@2@A
?_Incref@facet@locale@std@@UAEXXZ
?_Decref@facet@locale@std@@UAEPAV_Facet_base@3@XZ
_Cnd_signal
?_Init@locale@std@@CAPAV_Locimp@12@_N@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ
??1facet@locale@std@@MAE@XZ
??0facet@locale@std@@IAE@I@Z
?_Gettrue@_Locinfo@std@@QBEPBDXZ
?_Getfalse@_Locinfo@std@@QBEPBDXZ
??1_Locinfo@std@@QAE@XZ
??0_Locinfo@std@@QAE@PBD@Z
?uncaught_exceptions@std@@YAHXZ
?_Xbad_alloc@std@@YAXXZ
?_Xlength_error@std@@YAXPBD@Z
?_Xout_of_range@std@@YAXPBD@Z
?_Execute_once@std@@YAHAAUonce_flag@1@P6GHPAX1PAPAX@Z1@Z
?_Syserror_map@std@@YAPBDH@Z
??1_Lockit@std@@QAE@XZ

wintrust

WinVerifyTrust

urlmon

URLDownloadToFileA

vcruntime140

__std_exception_copy
_purecall
memmove
memset
__std_exception_destroy
memcpy
memchr
strchr
__CxxFrameHandler3
__std_terminate
_except_handler4_common
__std_type_info_destroy_list
__current_exception_context
__current_exception
__RTDynamicCast
wcschr
_setjmp3
longjmp
strrchr
_CxxThrowException
__std_type_info_name
strstr
__std_type_info_compare

api-ms-win-crt-string-l1-1-0

_strdup
tolower
_wcsdup
isalnum
wcspbrk
wcsncmp
isdigit
strcspn
strspn
wcsncpy
isupper
strpbrk
strncmp
isalpha
toupper
isprint
isspace
strncpy

api-ms-win-crt-stdio-l1-1-0

fread
_fsopen
fopen
__stdio_common_vsprintf
fwrite
_open
__stdio_common_vsprintf_s
ftell
fseek
fflush
fclose
_wfopen
_close
_write
fgets
_read
__stdio_common_vfprintf
_lseeki64
fputs
ungetc
setvbuf
_fseeki64
fsetpos
fputc
fgetpos
fgetc
_get_stream_buffer_pointers
__stdio_common_vsnprintf_s
__acrt_iob_func
__stdio_common_vsscanf

api-ms-win-crt-heap-l1-1-0

_aligned_malloc
calloc
malloc
realloc
free
_aligned_free
_callnewh

api-ms-win-crt-utility-l1-1-0

rand
qsort
srand

api-ms-win-crt-math-l1-1-0

_ldtest
_isnan
floor
_finite
_dtest
ceil
_libm_sse2_acos_precise
_dsign
_libm_sse2_sqrt_precise
_libm_sse2_sin_precise
_libm_sse2_cos_precise
_ldsign

api-ms-win-crt-convert-l1-1-0

strtod
strtoll
atoi
strtoul
strtol
atol

api-ms-win-crt-runtime-l1-1-0

_errno
_seh_filter_dll
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_execute_onexit_table
_crt_atexit
_cexit
_initterm
_initterm_e
_getpid
_exit
_invalid_parameter_noinfo_noreturn
terminate
_beginthreadex
_invalid_parameter_noinfo
_beginthread
exit
strerror
strerror_s
__sys_nerr

api-ms-win-crt-filesystem-l1-1-0

_lock_file
_fstat64
_mkdir
_unlock_file
_access
_stat64

api-ms-win-crt-time-l1-1-0

_gmtime64_s
_localtime64_s
strftime
_gmtime64
_time64

api-ms-win-crt-locale-l1-1-0

___lc_codepage_func
localeconv

api-ms-win-crt-environment-l1-1-0

getenv

crypt32

CertFreeCertificateChain
CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertGetNameStringW
CertAddCertificateContextToStore
CertCloseStore
CryptStringToBinaryW
CertFreeCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertOpenStore

ws2_32

sendto
recvfrom
listen
accept
freeaddrinfo
getaddrinfo
WSACleanup
WSAStartup
WSAIoctl
setsockopt
ntohs
htons
getsockopt
getsockname
getpeername
connect
closesocket
bind
send
recv
WSASetLastError
select
gethostname
htonl
ntohl
socket
ioctlsocket
WSAGetLastError
__WSAFDIsSet

wldap32

ord142
ord167
ord127
ord27
ord26
ord133
ord41
ord208
ord73
ord216
ord14
ord46
ord219
ord145
ord147
ord79
ord301
ord118

Sections

.text
Size: - Virtual size: 2.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 354KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 276KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.detourc
Size: - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.detourd
Size: - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: - Virtual size: 1.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 4.1MB - Virtual size: 4.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 726B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

19472bce2030b8f684d684f4cdbee6e1

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

imm32

d3dcompiler_47

msvcp140

wintrust

urlmon

vcruntime140

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-environment-l1-1-0

crypt32

ws2_32

wldap32

Sections

.text Size: - Virtual size: 2.0MB

.rdata Size: - Virtual size: 354KB

.data Size: - Virtual size: 276KB

.detourc Size: - Virtual size: 4KB

.detourd Size: - Virtual size: 12B

.vmp0 Size: - Virtual size: 1.5MB

.vmp1 Size: 4.1MB - Virtual size: 4.1MB

.reloc Size: 1KB - Virtual size: 1KB

.rsrc Size: 1024B - Virtual size: 726B

.text
Size: - Virtual size: 2.0MB

.rdata
Size: - Virtual size: 354KB

.data
Size: - Virtual size: 276KB

.detourc
Size: - Virtual size: 4KB

.detourd
Size: - Virtual size: 12B

.vmp0
Size: - Virtual size: 1.5MB

.vmp1
Size: 4.1MB - Virtual size: 4.1MB

.reloc
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 1024B - Virtual size: 726B