nezur[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

nezur.exe
Size

3.1MB
MD5

b5e8da7722deb53ea7dc0fbc2a243997
SHA1

d3a17b3b4936442b74d403b5e6e978751b8c4b91
SHA256

9835fc3e842d16f89003b4073e4cd72013f687c09778a624e29d0ec1225a8167
SHA512

de9b202bb1b15c0431046137b461b76af39438befe9269cec9f40faa459d91132d7dfded8198522ab4e6f98ba29eb0b58774a411a30f7dbdb3e4dfffde25ee87
SSDEEP

49152:jA4K6ZSWFfh/k0VXPN9mdyIVl65U/S7CQnfGTXbFNL3DUMuFA6MVdh5kgh3kusPN:cSfhtPNBA4

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
nezur.exe

Files

nezur.exe
.exe windows:6 windows x64 arch:x64

34856ce2ee125a91807df3c72aa8cec0

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\Gavin\Downloads\New folder\NEWWNEUZR\NEWWNEUZR\x64\Release\nezurV3.pdb

Imports

d3d11

D3D11CreateDeviceAndSwapChain

d3dcompiler_43

D3DCompile

kernel32

CreateFileA
GetFileSizeEx
MapViewOfFile
GetSystemTimeAsFileTime
IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
UnhandledExceptionFilter
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
GetFileInformationByHandleEx
CreateFileMappingW
AreFileApisANSI
SetFileInformationByHandle
GetFileAttributesExW
FindNextFileW
FindFirstFileExW
FindFirstFileW
FindClose
CreateDirectoryW
GetCurrentDirectoryW
GetLocaleInfoEx
PeekNamedPipe
MoveFileExA
GetTickCount
UnmapViewOfFile
VerifyVersionInfoA
GetSystemDirectoryA
SleepEx
ReadFile
EnterCriticalSection
LocalFree
VirtualProtect
CreateThread
GetCurrentProcess
DeleteCriticalSection
FormatMessageA
SetLastError
QueryFullProcessImageNameW
GetModuleHandleW
GetModuleFileNameW
InitializeCriticalSectionEx
GetProcessHeap
HeapSize
HeapFree
HeapReAlloc
HeapAlloc
HeapDestroy
GetLastError
QueryPerformanceCounter
FreeLibrary
VerSetConditionMask
QueryPerformanceFrequency
LoadLibraryA
GlobalUnlock
WideCharToMultiByte
GlobalLock
GlobalFree
GlobalAlloc
MultiByteToWideChar
GetTempPathW
SetUnhandledExceptionFilter
GetCurrentProcessId
GetProcAddress
GetModuleHandleA
GetCurrentThreadId
VirtualAlloc
VirtualFree
lstrcmpiA
CloseHandle
Process32Next
OutputDebugStringW
Sleep
CreateToolhelp32Snapshot
CreateFileW
WaitForMultipleObjects
GetFileType
GetStdHandle
GetEnvironmentVariableA
LeaveCriticalSection
DeviceIoControl
Process32First
GetModuleFileNameA
WaitForSingleObjectEx
InitializeSListHead

user32

SetLayeredWindowAttributes
SetCapture
SetCursor
GetClientRect
IsWindowUnicode
ReleaseCapture
SetCursorPos
OpenClipboard
CloseClipboard
EmptyClipboard
GetClipboardData
SetClipboardData
GetSystemMetrics
TrackMouseEvent
GetAsyncKeyState
GetForegroundWindow
LoadIconA
ClientToScreen
GetCapture
MonitorFromWindow
PeekMessageA
FindWindowA
MessageBoxA
DispatchMessageA
GetWindowRect
GetCursorPos
SendInput
LoadCursorA
CreateWindowExA
DefWindowProcA
MoveWindow
GetMonitorInfoA
GetWindowLongA
SetWindowLongA
ShowWindow
UnregisterClassW
DestroyWindow
GetKeyState
UpdateWindow
RegisterClassExA
PostQuitMessage
TranslateMessage
ScreenToClient

gdi32

CreateSolidBrush

advapi32

CryptAcquireContextA
RegCreateKeyW
RegDeleteTreeW
RegCloseKey
RegSetKeyValueW
RegOpenKeyExA
RegQueryInfoKeyA
RegSetValueExA
RegQueryValueExA
RegGetValueA
OpenProcessToken
CryptEncrypt
CryptImportKey
CryptDestroyKey
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGenRandom
CryptGetHashParam
CryptReleaseContext
RegOpenKeyW
ConvertSidToStringSidA
CopySid
SetSecurityInfo
IsValidSid
InitializeAcl
GetTokenInformation
GetLengthSid
AddAccessAllowedAce

shell32

ShellExecuteA
SHGetFolderPathA
ShellExecuteW

msvcp140

?_Xbad_alloc@std@@YAXXZ
?_Xout_of_range@std@@YAXPEBD@Z
?_Winerror_map@std@@YAHH@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?_Syserror_map@std@@YAPEBDH@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
_Mtx_destroy_in_situ
_Mtx_lock
_Mtx_init_in_situ
_Mtx_unlock
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?uncaught_exception@std@@YA_NXZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?good@ios_base@std@@QEBA_NXZ
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?_Xinvalid_argument@std@@YAXPEBD@Z
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?id@?$ctype@D@std@@2V0locale@2@A
?id@?$collate@D@std@@2V0locale@2@A
_Strcoll
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?tolower@?$ctype@D@std@@QEBAPEBDPEADPEBD@Z
?tolower@?$ctype@D@std@@QEBADD@Z
??1facet@locale@std@@MEAA@XZ
??0facet@locale@std@@IEAA@_K@Z
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
?_Incref@facet@locale@std@@UEAAXXZ
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ
??1_Locinfo@std@@QEAA@XZ
??0_Locinfo@std@@QEAA@PEBD@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??7ios_base@std@@QEBA_NXZ
?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAM@Z
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
??Bios_base@std@@QEBA_NXZ
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?_Xbad_function_call@std@@YAXXZ
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ
??1_Lockit@std@@QEAA@XZ
?_Xlength_error@std@@YAXPEBD@Z
_Xtime_get_ticks
_Thrd_detach
_Query_perf_counter
_Thrd_sleep
_Cnd_do_broadcast_at_thread_exit
?_Random_device@std@@YAIXZ
?_Throw_Cpp_error@std@@YAXH@Z
_Query_perf_frequency
_Thrd_yield
_Strxfrm
??0_Lockit@std@@QEAA@H@Z

ntdll

RtlLookupFunctionEntry
RtlInitUnicodeString
NtQuerySystemInformation
RtlVirtualUnwind
RtlCaptureContext

imm32

ImmGetContext
ImmSetCandidateWindow
ImmReleaseContext
ImmSetCompositionWindow

dwmapi

DwmExtendFrameIntoClientArea

normaliz

IdnToAscii

wldap32

ord200
ord32
ord301
ord27
ord143
ord26
ord30
ord22
ord41
ord50
ord45
ord60
ord211
ord46
ord79
ord33
ord217
ord35

crypt32

CertGetNameStringA
CertFindExtension
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CryptStringToBinaryA
PFXImportCertStore
CryptQueryObject
CertCreateCertificateChainEngine
CertFreeCertificateChainEngine
CertGetCertificateChain
CertFreeCertificateChain
CryptDecodeObjectEx
CertOpenStore

ws2_32

sendto
recvfrom
freeaddrinfo
ntohl
select
__WSAFDIsSet
htonl
accept
recv
closesocket
ioctlsocket
WSACleanup
listen
WSAStartup
WSAIoctl
WSASetLastError
socket
setsockopt
ntohs
gethostname
htons
send
WSAGetLastError
bind
connect
getpeername
getsockname
getaddrinfo
getsockopt

shlwapi

PathFindFileNameW

rpcrt4

UuidCreate
UuidToStringA
RpcStringFreeA

psapi

GetModuleInformation

userenv

UnloadUserProfile

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__current_exception_context
__current_exception
strrchr
memset
memmove
memcpy
memcmp
_CxxThrowException
strstr
__C_specific_handler
wcsstr
strchr
__std_exception_copy
__std_exception_destroy
__std_terminate
memchr

api-ms-win-crt-runtime-l1-1-0

_c_exit
system
exit
_beginthreadex
terminate
_register_thread_local_exe_atexit_callback
_resetstkoflw
_getpid
_exit
_invalid_parameter_noinfo_noreturn
_invalid_parameter_noinfo
abort
__sys_nerr
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_crt_atexit
_cexit
_seh_filter_exe
_set_app_type
strerror
_get_initial_narrow_environment
_initterm
_initterm_e
_errno
__p___argc
__p___argv

api-ms-win-crt-stdio-l1-1-0

_lseeki64
fputc
fflush
__p__commode
fclose
_read
_write
_popen
_pclose
_close
_open
fopen
fgetc
fgets
feof
fwrite
fgetpos
setvbuf
ungetc
fputs
fsetpos
fread
__stdio_common_vsscanf
_wfopen
_fseeki64
_get_stream_buffer_pointers
__stdio_common_vfprintf
fseek
__acrt_iob_func
ftell
__stdio_common_vsprintf
__stdio_common_vsprintf_s
_set_fmode

api-ms-win-crt-heap-l1-1-0

free
realloc
_callnewh
malloc
calloc
_set_new_mode

api-ms-win-crt-filesystem-l1-1-0

_unlock_file
_stat64
_access
_unlink
_lock_file
_fstat64
_wremove

api-ms-win-crt-convert-l1-1-0

strtoul
strtoull
atof
strtol
strtod
atoi
strtoll

api-ms-win-crt-utility-l1-1-0

srand
qsort
rand

api-ms-win-crt-string-l1-1-0

strpbrk
strcmp
strcspn
strspn
strncpy
strncmp
isupper
_strdup
_stricmp
tolower
isspace

api-ms-win-crt-time-l1-1-0

_localtime64
strftime
_gmtime64
_time64

api-ms-win-crt-math-l1-1-0

_dsign
sqrt
powf
cosf
_fdclass
sinf
fmodf
_dclass
acosf
__setusermatherr
sqrtf
pow
roundf
atan2f
ceilf

api-ms-win-crt-locale-l1-1-0

localeconv
_configthreadlocale
___lc_codepage_func

api-ms-win-crt-environment-l1-1-0

getenv

Sections

.text
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 220KB - Virtual size: 219KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 40KB - Virtual size: 39KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 176KB - Virtual size: 176KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

34856ce2ee125a91807df3c72aa8cec0

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

d3d11

d3dcompiler_43

kernel32

user32

gdi32

advapi32

shell32

msvcp140

ntdll

imm32

dwmapi

normaliz

wldap32

crypt32

ws2_32

shlwapi

rpcrt4

psapi

userenv

vcruntime140_1

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-environment-l1-1-0

Sections

.text Size: 1.4MB - Virtual size: 1.4MB

.rdata Size: 220KB - Virtual size: 219KB

.data Size: 1.3MB - Virtual size: 1.3MB

.pdata Size: 40KB - Virtual size: 39KB

.rsrc Size: 176KB - Virtual size: 176KB

.reloc Size: 2KB - Virtual size: 2KB

.text
Size: 1.4MB - Virtual size: 1.4MB

.rdata
Size: 220KB - Virtual size: 219KB

.data
Size: 1.3MB - Virtual size: 1.3MB

.pdata
Size: 40KB - Virtual size: 39KB

.rsrc
Size: 176KB - Virtual size: 176KB

.reloc
Size: 2KB - Virtual size: 2KB