4d5a9012d42b045da3100e40d2abf5d0_NeikiAnalytics[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

4d5a9012d42b045da3100e40d2abf5d0_NeikiAnalytics.exe
Size

3.6MB
MD5

4d5a9012d42b045da3100e40d2abf5d0
SHA1

17d243db7af03fb6c89316d1ab7e0af5ba4b22df
SHA256

2129d6f88751bd347180b4e843e7fb7df77516acab88812a87d1cc9418ece544
SHA512

a4dcac3c1a81ef75fa1a613d1eeae0d79f68dcd020939d3d95c3d13859be0f583d709e8e8fdff5a752aa15634f5af2f26dce38629d114096778096f083a7afca
SSDEEP

49152:AeZqlCQBG7FUu3sCkdXozBq3xnVMbhfn6ngUb:AeuE7FUldYzBq3I

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
4d5a9012d42b045da3100e40d2abf5d0_NeikiAnalytics.exe

Files

4d5a9012d42b045da3100e40d2abf5d0_NeikiAnalytics.exe
.exe windows:6 windows x64 arch:x64

eeb80fa22133423d6a6564e204b41811

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\beauv\Downloads\Nemesis_Loader\x64\Release\Nemesis Loader.pdb

Imports

d3d9

Direct3DCreate9

vmprotectsdk64

VMProtectIsProtected
VMProtectEnd
VMProtectBeginUltra
VMProtectIsVirtualMachinePresent
VMProtectIsDebuggerPresent

kernel32

CreateThread
GetCurrentThreadId
OpenThread
GetExitCodeThread
ResumeThread
SetProcessMitigationPolicy
VirtualQuery
MapViewOfFile
UnmapViewOfFile
LoadLibraryW
CreateFileMappingA
QueryFullProcessImageNameA
AllocConsole
SetConsoleTitleA
GetConsoleWindow
K32EnumDeviceDrivers
K32GetDeviceDriverBaseNameA
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
Process32First
Process32Next
Module32FirstW
Module32NextW
FindFirstFileW
OutputDebugStringA
SetLastError
GetModuleHandleW
FindClose
FindFirstFileA
FindNextFileA
GetLogicalDrives
ReadFile
SetFilePointer
WriteFile
GetTempPathA
GetTickCount64
GetModuleFileNameW
CreateFileW
K32GetModuleInformation
SetThreadExecutionState
QueryFullProcessImageNameW
CheckRemoteDebuggerPresent
GetFileSize
GetBinaryTypeW
GetEnvironmentVariableW
GetWriteWatch
ResetWriteWatch
GlobalGetAtomNameW
HeapQueryInformation
SuspendThread
GetExitCodeProcess
DeleteCriticalSection
OutputDebugStringW
LocalFree
EnterCriticalSection
LeaveCriticalSection
SleepEx
GetSystemDirectoryA
VerifyVersionInfoA
GetTickCount
MoveFileExA
WaitForSingleObjectEx
GetEnvironmentVariableA
GetStdHandle
GetFileType
PeekNamedPipe
WaitForMultipleObjects
FormatMessageA
GetFileSizeEx
GetLocaleInfoEx
InitializeCriticalSectionEx
GetProcessHeap
HeapSize
TerminateProcess
ExitProcess
GetCurrentProcessId
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
RtlVirtualUnwind
UnhandledExceptionFilter
GetFileAttributesExW
SetFileInformationByHandle
HeapFree
SetUnhandledExceptionFilter
HeapReAlloc
HeapAlloc
HeapDestroy
GetLastError
Beep
RtlCaptureContext
QueryPerformanceFrequency
QueryPerformanceCounter
WideCharToMultiByte
MultiByteToWideChar
GlobalFree
GlobalLock
GlobalUnlock
GlobalAlloc
FlushInstructionCache
WaitForSingleObject
AreFileApisANSI
GetFileInformationByHandleEx
OpenProcess
GetModuleHandleA
VirtualProtect
GetSystemInfo
Sleep
GetThreadContext
GetCurrentThread
RaiseException
RtlLookupFunctionEntry
K32GetModuleBaseNameA
K32EnumProcessModules
IsDebuggerPresent
FreeLibrary
GetCurrentProcess
LoadLibraryA
GetProcAddress
VirtualFree
VirtualAlloc
DebugBreak
GetModuleFileNameA
CreateFileA
CloseHandle
lstrcmpiA
VerifyVersionInfoW
VerSetConditionMask
SetThreadContext
ReadProcessMemory
InitializeSListHead
GetSystemTimeAsFileTime
IsProcessorFeaturePresent
CreateFileMappingW

user32

UnregisterClassW
BlockInput
OpenClipboard
CloseClipboard
EnumDisplayMonitors
GetMonitorInfoA
MonitorFromWindow
LoadCursorA
RegisterClassExW
CreateWindowExW
SetClipboardData
GetClipboardData
EmptyClipboard
DefWindowProcA
SetWindowLongW
SetWindowLongA
GetWindowLongW
WindowFromPoint
ScreenToClient
UnregisterClassA
DefWindowProcW
CreateWindowExA
IsChild
DestroyWindow
ShowWindow
SetLayeredWindowAttributes
SetWindowPos
IsIconic
BringWindowToTop
SetFocus
GetKeyState
GetCapture
SetCapture
ReleaseCapture
SetCursorPos
SetForegroundWindow
GetDC
ReleaseDC
SetWindowTextW
GetClientRect
AdjustWindowRectEx
PostQuitMessage
PeekMessageA
DispatchMessageA
TranslateMessage
RegisterClassExA
ClientToScreen
GetCursorPos
SetCursor
GetForegroundWindow
GetSystemMetrics
FindWindowExW
FindWindowW
GetClassNameW
wsprintfA
GetWindowThreadProcessId
GetClassNameA
EnumWindows
FindWindowA
MessageBoxW
MessageBoxA
GetWindowTextA
UpdateWindow

gdi32

GetDeviceCaps

advapi32

SetSecurityInfo
InitializeAcl
GetLengthSid
AddAccessAllowedAce
RegCreateKeyExW
RegSetValueExW
RegQueryValueExW
CryptGenRandom
CryptReleaseContext
CryptAcquireContextA
RegOpenKeyExW
ConvertSidToStringSidA
RegSetValueExA
RegEnumKeyExA
IsValidSid
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
LookupPrivilegeValueA
GetTokenInformation
AdjustTokenPrivileges
OpenProcessToken
CopySid
CryptGetHashParam
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptDestroyKey
CryptImportKey
CryptEncrypt
GetUserNameA

shell32

SHGetFolderPathA
ShellExecuteExA
ShellExecuteA

oleaut32

VariantClear

shlwapi

StrStrA
PathFindFileNameW

iphlpapi

GetAdaptersInfo

normaliz

IdnToAscii

ws2_32

ntohl
gethostname
WSAStartup
WSAIoctl
WSASetLastError
socket
setsockopt
ntohs
sendto
recvfrom
freeaddrinfo
getaddrinfo
select
__WSAFDIsSet
ioctlsocket
htons
listen
htonl
accept
WSACleanup
getsockopt
getsockname
getpeername
closesocket
connect
bind
WSAGetLastError
send
recv

wldap32

ord301
ord200
ord30
ord79
ord35
ord33
ord32
ord27
ord26
ord22
ord41
ord50
ord45
ord143
ord217
ord46
ord211
ord60

crypt32

CertFreeCertificateChain
CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertGetNameStringA
CertFindExtension
CertAddCertificateContextToStore
CryptStringToBinaryA
CertOpenStore
CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CryptDecodeObjectEx
PFXImportCertStore

winhttp

WinHttpGetIEProxyConfigForCurrentUser
WinHttpCloseHandle
WinHttpOpenRequest
WinHttpOpen
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpConnect

ntdll

RtlAdjustPrivilege
NtRaiseHardError
NtSetDebugFilterState
NtRaiseException
NtQueryInformationProcess
NtClose
NtQuerySystemInformation

msvcp140

??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Xout_of_range@std@@YAXPEBD@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Xbad_function_call@std@@YAXXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setf@ios_base@std@@QEAAHHH@Z
?good@ios_base@std@@QEBA_NXZ
??7ios_base@std@@QEBA_NXZ
??Bios_base@std@@QEBA_NXZ
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?_Random_device@std@@YAIXZ
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
??Bid@locale@std@@QEAA_KXZ
?_Winerror_map@std@@YAHH@Z
?_Syserror_map@std@@YAPEBDH@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Xlength_error@std@@YAXPEBD@Z
?uncaught_exception@std@@YA_NXZ
_Thrd_sleep
_Xtime_get_ticks
_Query_perf_counter
_Query_perf_frequency
_Thrd_detach
_Thrd_join
_Thrd_id
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Throw_Cpp_error@std@@YAXH@Z
_Cnd_do_broadcast_at_thread_exit

imagehlp

ImageNtHeader

psapi

EnumProcesses
GetModuleFileNameExW
EnumProcessModules
GetModuleInformation

imm32

ImmGetContext
ImmReleaseContext
ImmSetCompositionWindow

userenv

UnloadUserProfile

rpcrt4

UuidToStringA
RpcStringFreeA
UuidCreate

vcruntime140

__C_specific_handler
memset
memcmp
memmove
__std_exception_copy
__std_exception_destroy
_CxxThrowException
memcpy
__std_terminate
memchr
strstr
strchr
__std_type_info_compare
wcsstr
strrchr
__current_exception
__current_exception_context
_local_unwind

vcruntime140_1

__CxxFrameHandler4

api-ms-win-crt-stdio-l1-1-0

__p__commode
_read
_write
_set_fmode
_close
_open
ungetc
__stdio_common_vsscanf
__stdio_common_vsprintf
fwrite
ftell
setvbuf
fclose
_popen
_pclose
fopen
fputs
fseek
_fseeki64
fsetpos
fputc
_lseeki64
fread
fgets
fgetpos
fgetc
feof
_get_stream_buffer_pointers
fflush
_wfopen
__stdio_common_vfprintf
__acrt_iob_func

api-ms-win-crt-string-l1-1-0

strspn
strcspn
wcscmp
strpbrk
wcslen
wcscpy_s
strcat_s
toupper
tolower
wcscpy
strcpy
strnlen
strncpy
_wcsicmp
_strdup
strcmp
isupper
strncmp
strlen

api-ms-win-crt-heap-l1-1-0

malloc
realloc
free
_callnewh
_set_new_mode
calloc

api-ms-win-crt-runtime-l1-1-0

_Exit
quick_exit
_initialize_narrow_environment
_configure_narrow_argv
_exit
exit
_invalid_parameter_noinfo_noreturn
system
_register_onexit_function
__sys_nerr
_crt_atexit
_getpid
_cexit
strerror
_seh_filter_exe
_set_app_type
abort
_resetstkoflw
_get_initial_narrow_environment
_errno
_initterm
_initterm_e
__p___argc
terminate
__p___argv
_initialize_onexit_table
_invalid_parameter_noinfo
_register_thread_local_exe_atexit_callback
_c_exit
_beginthreadex
raise

api-ms-win-crt-utility-l1-1-0

rand
qsort
srand

api-ms-win-crt-math-l1-1-0

sqrtf
acosf
ceilf
_dclass
sinf
__setusermatherr
cosf
fmodf
fabs

api-ms-win-crt-convert-l1-1-0

atoi
strtoull
strtoll
strtod
strtol
strtoul

api-ms-win-crt-filesystem-l1-1-0

_stat64
rename
_access
_unlink
_fstat64
_lock_file
_unlock_file

api-ms-win-crt-time-l1-1-0

_time64
_gmtime64

api-ms-win-crt-locale-l1-1-0

___lc_codepage_func
_configthreadlocale
localeconv

api-ms-win-crt-multibyte-l1-1-0

_mbscmp

Sections

.text
Size: 1.9MB - Virtual size: 1.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 276KB - Virtual size: 275KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 36KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.SPN
Size: 512B - Virtual size: 1B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.detourc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.detourd
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 266KB - Virtual size: 265KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

eeb80fa22133423d6a6564e204b41811

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

d3d9

vmprotectsdk64

kernel32

user32

gdi32

advapi32

shell32

oleaut32

shlwapi

iphlpapi

normaliz

ws2_32

wldap32

crypt32

winhttp

ntdll

msvcp140

imagehlp

psapi

imm32

userenv

rpcrt4

vcruntime140

vcruntime140_1

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-multibyte-l1-1-0

Sections

.text Size: 1.9MB - Virtual size: 1.9MB

.rdata Size: 276KB - Virtual size: 275KB

.data Size: 1.1MB - Virtual size: 1.1MB

.pdata Size: 36KB - Virtual size: 35KB

.SPN Size: 512B - Virtual size: 1B

.detourc Size: 8KB - Virtual size: 8KB

.detourd Size: 512B - Virtual size: 24B

.rsrc Size: 266KB - Virtual size: 265KB

.reloc Size: 4KB - Virtual size: 3KB

.text
Size: 1.9MB - Virtual size: 1.9MB

.rdata
Size: 276KB - Virtual size: 275KB

.data
Size: 1.1MB - Virtual size: 1.1MB

.pdata
Size: 36KB - Virtual size: 35KB

.SPN
Size: 512B - Virtual size: 1B

.detourc
Size: 8KB - Virtual size: 8KB

.detourd
Size: 512B - Virtual size: 24B

.rsrc
Size: 266KB - Virtual size: 265KB

.reloc
Size: 4KB - Virtual size: 3KB