bbfc71d74eabd95d089600b24eeafa40_NeikiAnalytics

Sharing

Copy URL

Twitter E-mail

General

Target

bbfc71d74eabd95d089600b24eeafa40_NeikiAnalytics
Size

78KB
MD5

bbfc71d74eabd95d089600b24eeafa40
SHA1

5b03460f069f734fab620346450ad0aaada5a563
SHA256

43c37918153e3d4a2a8833a2759463ee6b55f3af41423037f753c49aad6d72a5
SHA512

b60a876974d8edf78270b1269e8e195bd9a9d58fe82dccf23a6069930bb8731388514df30d85a111ebb699d9bda585a72aae7e209034f56034e60c0a67ac44d6
SSDEEP

1536:RnKlLpmDT4N0wK54mwFg9lO1LyMSeE3VTJAr+hf:pwpm/s65XwFgbO1LyMiTh

Score

1^/10

Malware Config

Signatures

Files

bbfc71d74eabd95d089600b24eeafa40_NeikiAnalytics
.dll regsvr32 windows:5 windows x86 arch:x86

a14870ddcbd671135e9329e8501a948f

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

15:b7:7e:a6:97:43:e1:29:7f:c6:85:18:b9:57:10:7f
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

21/03/2013, 00:00

Not After

23/06/2015, 23:59

Subject

CN=ShenZhen Thunder Networking Technologies Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Operate,O=ShenZhen Thunder Networking Technologies Ltd.,L=Shenzhen,ST=Guangdong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

ef:3e:64:8a:01:c4:7a:07:94:6d:32:a3:40:cb:4f:d7:e0:de:0b:32
Signer

Actual PE Digest

ef:3e:64:8a:01:c4:7a:07:94:6d:32:a3:40:cb:4f:d7:e0:de:0b:32

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

C:\Users\Administrator\Desktop\AutoBuild\crash20130607(7.9.4)\build\pdb\BHO\ProductRelease\ThunderAgent.pdb

Imports

wininet

InternetGetCookieW

ws2_32

WSADuplicateSocketW
WSAGetLastError

kernel32

Process32FirstW
CreateToolhelp32Snapshot
TerminateProcess
GetModuleFileNameW
GetTickCount
Sleep
WideCharToMultiByte
MultiByteToWideChar
lstrlenA
WriteFile
CreateFileW
GetTempFileNameW
GetTempPathW
UnmapViewOfFile
GetModuleHandleW
CopyFileW
SetThreadLocale
GetThreadLocale
WaitForSingleObject
ReleaseMutex
OpenFileMappingA
OpenMutexA
CreateFileMappingA
CreateMutexA
FindClose
FindFirstFileW
SetLastError
Process32NextW
VirtualQuery
IsBadCodePtr
GetSystemTimeAsFileTime
QueryPerformanceCounter
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCurrentProcess
OpenProcess
GetCurrentThreadId
CreateFileMappingW
MapViewOfFile
CloseHandle
InterlockedCompareExchange
InterlockedExchange
GetProcessHeap
HeapSize
HeapReAlloc
HeapFree
HeapAlloc
HeapDestroy
lstrcpyW
lstrlenW
GetCurrentProcessId
LoadLibraryW
GetProcAddress
InterlockedDecrement
InterlockedIncrement
DeleteCriticalSection
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
GetLastError

user32

SendMessageTimeoutW
wsprintfW
SendMessageW
FindWindowW
MessageBoxW
IsWindow
CharNextW
RegisterWindowMessageW
GetWindowThreadProcessId

advapi32

RegSetValueExW
RegOpenKeyExW
RegQueryValueExW
RegCreateKeyExW
RegCloseKey

shell32

ShellExecuteW
SHGetFolderPathW

ole32

CoCreateInstance
CoTaskMemFree

oleaut32

SysAllocString
RegisterTypeLi
UnRegisterTypeLi
LoadTypeLi
LoadRegTypeLi
SysStringLen
SysFreeString

atl90

ord64
ord15
ord49
ord56
ord31
ord58
ord32
ord61
ord23
ord68

shlwapi

PathRemoveFileSpecW
SHDeleteValueW
SHSetValueW
SHGetValueW
StrCmpW
PathFileExistsW
PathAppendW
PathFindFileNameW
StrStrIW
PathCombineW
StrCmpIW
PathMatchSpecW
StrCpyW

msvcp90

?substr@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBE?AV12@II@Z
?rfind@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEI_WI@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_WI@Z
?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
??A?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAA_WI@Z
?resize@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXI@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
?clear@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXXZ
?assign@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV12@PB_WI@Z
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
?c_str@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEPB_WXZ
??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
?size@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEIXZ
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
?insert@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV12@IABV12@@Z
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@ABV01@@Z
??$?8_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@PB_W@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDI@Z
??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
?reserve@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXI@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
?npos@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@2IB
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?erase@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV12@II@Z

msvcr90

?_type_info_dtor_internal_method@type_info@@QAEXXZ
_crt_debugger_hook
__clean_type_info_names_internal
abs
_invalid_parameter_noinfo
wcsrchr
??3@YAXPAX@Z
_CxxThrowException
memcpy_s
memset
??_V@YAXPAX@Z
wcsncmp
wcslen
sprintf
__CxxFrameHandler3
_vscwprintf
vswprintf_s
memcpy
strlen
wcsncpy
_wcslwr
wcscpy
wcstombs
??2@YAPAXI@Z
free
calloc
_recalloc
_purecall
memcmp
wcsncpy_s
_wcsicmp
_except_handler4_common
?terminate@@YAXXZ
_unlock
__dllonexit
_encode_pointer
_lock
_onexit
_decode_pointer
_malloc_crt
_encoded_null
_initterm
_initterm_e
_amsg_exit
_adjust_fdiv
__CppXcptFilter

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

wintrust

CryptCATAdminCalcHashFromFileHandle
CryptCATAdminAcquireContext
CryptCATAdminReleaseContext
CryptCATAdminReleaseCatalogContext
WinVerifyTrust
CryptCATCatalogInfoFromContext
CryptCATAdminEnumCatalogFromHash

crypt32

CryptMsgGetParam
CertCloseStore
CryptQueryObject
CryptMsgClose

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllRegisterServerDirect
DllUnregisterServer

Sections

.text
Size: 34KB - Virtual size: 33KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a14870ddcbd671135e9329e8501a948f

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

15:b7:7e:a6:97:43:e1:29:7f:c6:85:18:b9:57:10:7fCertificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

ef:3e:64:8a:01:c4:7a:07:94:6d:32:a3:40:cb:4f:d7:e0:de:0b:32Signer

Headers

File Characteristics

PDB Paths

Imports

wininet

ws2_32

kernel32

user32

advapi32

shell32

ole32

oleaut32

atl90

shlwapi

msvcp90

msvcr90

version

wintrust

crypt32

Exports

Exports

Sections

.text Size: 34KB - Virtual size: 33KB

.rdata Size: 18KB - Virtual size: 17KB

.data Size: 1KB - Virtual size: 2KB

.rsrc Size: 13KB - Virtual size: 12KB

.reloc Size: 5KB - Virtual size: 4KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

15:b7:7e:a6:97:43:e1:29:7f:c6:85:18:b9:57:10:7f
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

ef:3e:64:8a:01:c4:7a:07:94:6d:32:a3:40:cb:4f:d7:e0:de:0b:32
Signer

.text
Size: 34KB - Virtual size: 33KB

.rdata
Size: 18KB - Virtual size: 17KB

.data
Size: 1KB - Virtual size: 2KB

.rsrc
Size: 13KB - Virtual size: 12KB

.reloc
Size: 5KB - Virtual size: 4KB