USBDeview[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

USBDeview.exe
Size

192KB
MD5

47dcf62390925838511422da7543614f
SHA1

4c3ba6133c5e17439915b7288d954ab4fb4c448c
SHA256

57f7cedd6bc0be6adc9a4816a5893bc42fd0c6b05ee993fe24e86d36975e0c20
SHA512

327b4fa63aa3216ba436cf74a5224247d2795c35e18197c8f123d37dab2c6b5524ee324657686301775dc0eec482f7127a59e3b6a7c418d2d5812cbeeed30f5a
SSDEEP

3072:z51/nUN6gFRi8nzOPxzUwKUVpfVgqgxPp/mTwtvIJd6du23sjMZ1PUP7g84oavMj:FsDiWyt97mdT3iy1PU1GK

Score

9^/10

Malware Config

Signatures

Detected Nirsoft tools 1 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
sample	Nirsoft

Files

USBDeview.exe
.exe windows:4 windows x64 arch:x64

0ca732aa2f0b1bbb2736fa8cce06852e

Code Sign

f7:a0:a7:30:c8:7d:94:cd:83:02:e3:ea:7f:66:1b:b7
Certificate

Issuer

CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09/09/2019, 00:00

Not After

09/09/2023, 23:59

Subject

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=7135117,STREET=Dakar 21\, Unit 82,L=Lod,C=IL

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

39:72:44:3a:f9:22:b7:51:d7:d3:6c:10:dd:31:35:95
Certificate

Issuer

CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

12/03/2019, 00:00

Not After

31/12/2028, 23:59

Subject

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02/11/2018, 00:00

Not After

31/12/2030, 23:59

Subject

CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4
Certificate

Issuer

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

03/05/2023, 00:00

Not After

02/08/2034, 23:59

Subject

CN=Sectigo RSA Time Stamping Signer #4,O=Sectigo Limited,ST=Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02/05/2019, 00:00

Not After

18/01/2038, 23:59

Subject

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

ca:b4:ce:0c:1f:59:31:48:89:2f:6e:15:46:47:da:d9:57:17:4a:dc:16:1c:26:48:0a:a1:29:ed:6a:c9:0d:43
Signer

Actual PE Digest

ca:b4:ce:0c:1f:59:31:48:89:2f:6e:15:46:47:da:d9:57:17:4a:dc:16:1c:26:48:0a:a1:29:ed:6a:c9:0d:43

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

f:\Projects\VS2005\USBDeview\x64\Release\USBDeview.pdb

Imports

msvcrt

__getmainargs
_acmdln
exit
_cexit
_exit
_c_exit
_XcptFilter
__C_specific_handler
_onexit
_initterm
__setusermatherr
_commode
_fmode
__set_app_type
__dllonexit
_mbsrchr
atol
_strlwr
_mbsicmp
qsort
_mbschr
memmove
_strnicmp
strrchr
strchr
strcmp
strtoul
malloc
free
_strcmpi
modf
_memicmp
memcmp
srand
rand
abs
_strupr
_itoa
??2@YAPEAX_K@Z
??3@YAXPEAX@Z
memcpy
strlen
_purecall
_stricmp
_snprintf
atoi
strcpy
memset
strcat
strncat
sprintf

comctl32

ImageList_Add
CreateToolbarEx
ImageList_SetImageCount
ImageList_Create
ImageList_AddMasked
ord6

ws2_32

socket
WSASetLastError
closesocket
send
WSAAsyncSelect
WSAAsyncGetHostByName
connect
inet_addr
htonl
WSAGetLastError
htons
bind
WSAStartup
WSACleanup

kernel32

Process32Next
OpenProcess
SetEnvironmentVariableA
GetCurrentThreadId
DeviceIoControl
GetStartupInfoA
GetProcAddress
CreateToolhelp32Snapshot
Process32First
GetCurrentProcess
ExitProcess
GetCurrentProcessId
ReadProcessMemory
ExpandEnvironmentStringsA
CreateProcessA
Sleep
FreeLibrary
WinExec
GetComputerNameA
GetModuleFileNameA
GetLastError
CompareFileTime
GetPrivateProfileStringA
SystemTimeToFileTime
GetModuleHandleA
FileTimeToSystemTime
LoadLibraryA
GetDiskFreeSpaceExA
GetLogicalDrives
GetWindowsDirectoryA
GetDriveTypeA
ReadFile
FlushFileBuffers
CloseHandle
DeleteFileA
CreateThread
CreateFileA
GetTickCount
WriteFile
SystemTimeToTzSpecificLocalTime
FileTimeToLocalFileTime
GetDateFormatA
GetTempPathA
LocalFree
GetSystemDirectoryA
GetTempFileNameA
GetFileSize
LoadLibraryExA
GlobalAlloc
GlobalLock
WideCharToMultiByte
MultiByteToWideChar
GetTimeFormatA
GlobalUnlock
GetFileAttributesA
GetVersionExA
FormatMessageA
GetPrivateProfileIntA
WritePrivateProfileStringA
EnumResourceNamesA
GetStdHandle
SetErrorMode

user32

EnumWindows
GetWindowThreadProcessId
SetForegroundWindow
AttachThreadInput
GetMessageA
GetSysColorBrush
ShowWindow
LoadCursorA
SetTimer
ReleaseDC
GetDC
SetCursor
SetDlgItemInt
BeginPaint
GetWindow
GetClientRect
SetDlgItemTextA
DrawFrameControl
GetDlgItemTextA
SetWindowTextA
GetSystemMetrics
DeferWindowPos
SendDlgItemMessageA
GetWindowRect
GetDlgItemInt
EndDialog
GetDlgItem
CreateWindowExA
EndPaint
InvalidateRect
DefWindowProcA
TranslateAcceleratorA
MessageBoxA
GetWindowPlacement
SendMessageA
RegisterClassA
UpdateWindow
PostMessageA
SetMenu
LoadAcceleratorsA
SetWindowPos
LoadImageA
GetSysColor
GetWindowLongA
SetWindowLongA
EndDeferWindowPos
BeginDeferWindowPos
SetFocus
GetWindowTextA
CheckMenuRadioItem
MoveWindow
OpenClipboard
CheckMenuItem
GetMenu
EmptyClipboard
EnableMenuItem
InsertMenuItemA
GetMenuItemCount
GetParent
SetClipboardData
GetMenuStringA
EnableWindow
MapWindowPoints
GetSubMenu
GetCursorPos
GetClassNameA
CloseClipboard
LoadMenuA
LoadStringA
ModifyMenuA
DialogBoxParamA
GetDlgCtrlID
DestroyMenu
CreateDialogParamA
DestroyWindow
EnumChildWindows
GetMenuItemInfoA
CreatePopupMenu
LoadIconA
SetMenuItemInfoA
GetKeyState
TranslateMessage
IsDialogMessageA
KillTimer
DrawTextExA
InsertMenuA
RegisterWindowMessageA
TrackPopupMenu
DispatchMessageA
PostQuitMessage
RemoveMenu
ChildWindowFromPoint

gdi32

GetTextExtentPoint32A
CreateCompatibleBitmap
SetTextColor
StretchBlt
GetStockObject
SetBkColor
GetPixel
GetObjectA
DeleteObject
SetBkMode
GetDeviceCaps
CreateFontIndirectA
CreateCompatibleDC
SelectObject
SetPixel
SetStretchBltMode
DeleteDC

comdlg32

ChooseFontA
FindTextA
GetSaveFileNameA

advapi32

RegCreateKeyA
OpenSCManagerA
ControlService
QueryServiceStatus
RegCloseKey
StartServiceA
ChangeServiceConfigA
OpenServiceA
CloseServiceHandle
RegLoadKeyA
RegUnLoadKeyA
RegConnectRegistryA
RegEnumKeyExA
RegQueryValueExA
RegSetValueExA
RegDeleteValueA
RegQueryInfoKeyA
RegOpenKeyExA
RegDeleteKeyA
CryptReleaseContext
CryptHashData
CryptDestroyHash
CryptGetHashParam
CryptCreateHash
CryptAcquireContextA

shell32

SHGetFileInfoA
ShellExecuteExA
ShellExecuteA
Shell_NotifyIconA

ole32

CoCreateInstance

Sections

.text
Size: 126KB - Virtual size: 125KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 22KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

0ca732aa2f0b1bbb2736fa8cce06852e

Code Sign

f7:a0:a7:30:c8:7d:94:cd:83:02:e3:ea:7f:66:1b:b7Certificate

Extended Key Usages

Key Usages

39:72:44:3a:f9:22:b7:51:d7:d3:6c:10:dd:31:35:95Certificate

Key Usages

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6aCertificate

Extended Key Usages

Key Usages

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4Certificate

Extended Key Usages

Key Usages

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9Certificate

Extended Key Usages

Key Usages

ca:b4:ce:0c:1f:59:31:48:89:2f:6e:15:46:47:da:d9:57:17:4a:dc:16:1c:26:48:0a:a1:29:ed:6a:c9:0d:43Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

comctl32

ws2_32

kernel32

user32

gdi32

comdlg32

advapi32

shell32

ole32

Sections

.text Size: 126KB - Virtual size: 125KB

.rdata Size: 22KB - Virtual size: 22KB

.data Size: 2KB - Virtual size: 6KB

.pdata Size: 4KB - Virtual size: 4KB

.rsrc Size: 26KB - Virtual size: 26KB

f7:a0:a7:30:c8:7d:94:cd:83:02:e3:ea:7f:66:1b:b7
Certificate

39:72:44:3a:f9:22:b7:51:d7:d3:6c:10:dd:31:35:95
Certificate

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
Certificate

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4
Certificate

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

ca:b4:ce:0c:1f:59:31:48:89:2f:6e:15:46:47:da:d9:57:17:4a:dc:16:1c:26:48:0a:a1:29:ed:6a:c9:0d:43
Signer

.text
Size: 126KB - Virtual size: 125KB

.rdata
Size: 22KB - Virtual size: 22KB

.data
Size: 2KB - Virtual size: 6KB

.pdata
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 26KB - Virtual size: 26KB