USBDeview[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

USBDeview.exe
Size

179KB
MD5

34007f728886fc92cf942c6fbf3cd29c
SHA1

815329be006971d37ca6e2a6ba4d12d877ef7d31
SHA256

0a594477309db1a1b223cbb99304f076c46b90d032a877ba2ff9d3599b8af8c1
SHA512

3743aa19115365d246f0895cbcc26321550715b5bcb066c683f4afce3a170455ae9cecdad8e5e06b4a9c83fd2395d9c4c7a1f72d0e5319ed04ea1b27c8781908
SSDEEP

3072:ruK7fbP+DgsGRbkdhgkzBsEGp5Eqfip2XM/PSZGSc+s3yxzNiP7whIOS2x:iC+DmpkdpBsEGEKRsidNiMS4

Score

9^/10

Malware Config

Signatures

Detected Nirsoft tools 1 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
sample	Nirsoft

Files

USBDeview.exe
.exe windows:4 windows x64 arch:x64

eba05b579d3ab843c7be0a272e2d6b93

Code Sign

42:1a:f2:94:09:84:19:1f:52:0a:4b:c6:24:26:a7:4b
Certificate

Issuer

CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE

Not Before

07/06/2005, 08:09

Not After

30/05/2020, 10:48

Subject

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-1 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

10:70:9d:4f:f5:54:08:d7:30:60:01:d8:ea:91:75:bb
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

24/08/2011, 00:00

Not After

30/05/2020, 10:48

Subject

CN=COMODO Code Signing CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

1a:f0:66:0e:83:7a:35:a2:cd:92:ec:61:3f:c1:5d:b8
Certificate

Issuer

CN=COMODO Code Signing CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

12/09/2014, 00:00

Not After

12/09/2019, 23:59

Subject

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=52583,STREET=5 Hashoshanim st.,L=Ramat Gan,ST=Gush Dan,C=IL

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

bd:1b:1e:45:0b:bd:d5:df:88:67:8e:7d:da:22:3d:17
Certificate

Issuer

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

30/03/2016, 00:00

Not After

30/06/2019, 23:59

Subject

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=52583,STREET=5 Hashoshanim st.,L=Ramat Gan,ST=Gush Dan,C=IL

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09/05/2013, 00:00

Not After

08/05/2028, 23:59

Subject

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

4e:b0:87:8f:cc:24:35:36:b2:d8:c9:f7:bf:39:55:77
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-256 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

ed:8e:aa:83:28:62:54:38:50:a1:26:c9:ca:40:8e:7a:ca:7b:23:8e:e4:a1:51:f8:ab:39:1a:6b:be:c5:aa:a5
Signer

Actual PE Digest

ed:8e:aa:83:28:62:54:38:50:a1:26:c9:ca:40:8e:7a:ca:7b:23:8e:e4:a1:51:f8:ab:39:1a:6b:be:c5:aa:a5

Digest Algorithm

sha256

PE Digest Matches

true

20:ed:07:9a:27:8a:9e:50:76:6c:9b:af:00:8c:a4:1a:ea:54:37:1f
Signer

Actual PE Digest

20:ed:07:9a:27:8a:9e:50:76:6c:9b:af:00:8c:a4:1a:ea:54:37:1f

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

c:\Projects\VS2005\USBDeview\x64\Release\USBDeview.pdb

Imports

msvcrt

__getmainargs
_acmdln
exit
_cexit
_initterm
_c_exit
_XcptFilter
__C_specific_handler
_onexit
__setusermatherr
_commode
_fmode
__set_app_type
_exit
__dllonexit
_mbsrchr
atol
_mbschr
_snprintf
qsort
_strlwr
_mbsicmp
memmove
_strnicmp
modf
_strcmpi
memcmp
_memicmp
strchr
strrchr
strcmp
malloc
strtoul
free
srand
rand
abs
_strupr
_itoa
??3@YAXPEAX@Z
??2@YAPEAX_K@Z
strlen
memcpy
atoi
_stricmp
_purecall
strcpy
memset
strcat
strncat
sprintf

comctl32

ImageList_Create
ImageList_SetImageCount
CreateToolbarEx
ord6
ImageList_AddMasked

ws2_32

WSAStartup
WSAGetLastError
htonl
inet_addr
connect
WSAAsyncGetHostByName
WSAAsyncSelect
send
closesocket
WSASetLastError
socket
bind
htons
WSACleanup

kernel32

WideCharToMultiByte
WritePrivateProfileStringA
GetStartupInfoA
GetModuleHandleA
DeviceIoControl
GetCurrentThreadId
OpenProcess
ReadProcessMemory
GetCurrentProcess
ExitProcess
GetCurrentProcessId
ExpandEnvironmentStringsA
CreateProcessA
Sleep
SetErrorMode
GetStdHandle
GetPrivateProfileIntA
GetLastError
GetPrivateProfileStringA
CompareFileTime
GetComputerNameA
WinExec
FreeLibrary
SystemTimeToFileTime
FileTimeToSystemTime
GetProcAddress
LoadLibraryA
GetDriveTypeA
GetDiskFreeSpaceExA
GetLogicalDrives
GetWindowsDirectoryA
CloseHandle
DeleteFileA
CreateThread
CreateFileA
GetTickCount
WriteFile
ReadFile
FlushFileBuffers
LoadLibraryExA
GetFileSize
GlobalAlloc
GlobalLock
GetTimeFormatA
GlobalUnlock
GetFileAttributesA
GetVersionExA
FileTimeToLocalFileTime
FormatMessageA
GetTempPathA
GetModuleFileNameA
SystemTimeToTzSpecificLocalTime
LocalFree
GetDateFormatA
GetTempFileNameA
EnumResourceNamesA

user32

GetDlgCtrlID
GetWindowThreadProcessId
SetForegroundWindow
AttachThreadInput
EnumWindows
DrawTextExA
IsDialogMessageA
KillTimer
TranslateMessage
GetKeyState
GetMessageA
DispatchMessageA
SetTimer
PostQuitMessage
GetSysColorBrush
ShowWindow
LoadCursorA
ChildWindowFromPoint
ReleaseDC
GetDC
SetCursor
EndDialog
GetDlgItemInt
GetDlgItem
CreateWindowExA
EndPaint
InvalidateRect
SetDlgItemInt
BeginPaint
GetWindow
SetDlgItemTextA
GetClientRect
DrawFrameControl
GetDlgItemTextA
SetWindowTextA
GetSystemMetrics
DeferWindowPos
SendDlgItemMessageA
GetWindowRect
PostMessageA
SetMenu
LoadAcceleratorsA
SetWindowPos
DefWindowProcA
TranslateAcceleratorA
MessageBoxA
GetWindowPlacement
SendMessageA
RegisterClassA
UpdateWindow
LoadImageA
GetWindowLongA
SetWindowLongA
EndDeferWindowPos
BeginDeferWindowPos
SetFocus
GetWindowTextA
GetMenu
OpenClipboard
CheckMenuItem
EmptyClipboard
EnableMenuItem
GetParent
GetMenuItemCount
GetSubMenu
GetMenuStringA
GetClassNameA
SetClipboardData
CloseClipboard
EnableWindow
MapWindowPoints
GetCursorPos
GetSysColor
MoveWindow
LoadMenuA
LoadStringA
ModifyMenuA
DialogBoxParamA
TrackPopupMenu
DestroyMenu
CreateDialogParamA
DestroyWindow
EnumChildWindows
GetMenuItemInfoA
LoadIconA
RegisterWindowMessageA

gdi32

GetTextExtentPoint32A
SelectObject
GetStockObject
SetBkColor
CreateFontIndirectA
SetBkMode
DeleteObject
SetTextColor
GetDeviceCaps

comdlg32

FindTextA
GetSaveFileNameA
ChooseFontA

advapi32

CloseServiceHandle
QueryServiceStatus
RegCreateKeyA
StartServiceA
ChangeServiceConfigA
ControlService
OpenSCManagerA
OpenServiceA
RegLoadKeyA
RegUnLoadKeyA
RegConnectRegistryA
RegQueryValueExA
RegSetValueExA
RegDeleteValueA
RegQueryInfoKeyA
RegOpenKeyExA
RegEnumKeyExA
RegDeleteKeyA
CryptAcquireContextA
CryptReleaseContext
CryptHashData
CryptDestroyHash
CryptGetHashParam
CryptCreateHash
RegCloseKey

shell32

ShellExecuteA
ShellExecuteExA
Shell_NotifyIconA

Sections

.text
Size: 115KB - Virtual size: 115KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 25KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

eba05b579d3ab843c7be0a272e2d6b93

Code Sign

42:1a:f2:94:09:84:19:1f:52:0a:4b:c6:24:26:a7:4bCertificate

Key Usages

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0bCertificate

Extended Key Usages

Key Usages

10:70:9d:4f:f5:54:08:d7:30:60:01:d8:ea:91:75:bbCertificate

Extended Key Usages

Key Usages

1a:f0:66:0e:83:7a:35:a2:cd:92:ec:61:3f:c1:5d:b8Certificate

Extended Key Usages

Key Usages

bd:1b:1e:45:0b:bd:d5:df:88:67:8e:7d:da:22:3d:17Certificate

Extended Key Usages

Key Usages

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:afCertificate

Extended Key Usages

Key Usages

4e:b0:87:8f:cc:24:35:36:b2:d8:c9:f7:bf:39:55:77Certificate

Extended Key Usages

Key Usages

ed:8e:aa:83:28:62:54:38:50:a1:26:c9:ca:40:8e:7a:ca:7b:23:8e:e4:a1:51:f8:ab:39:1a:6b:be:c5:aa:a5Signer

20:ed:07:9a:27:8a:9e:50:76:6c:9b:af:00:8c:a4:1a:ea:54:37:1fSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

comctl32

ws2_32

kernel32

user32

gdi32

comdlg32

advapi32

shell32

Sections

.text Size: 115KB - Virtual size: 115KB

.rdata Size: 20KB - Virtual size: 19KB

.data Size: 2KB - Virtual size: 6KB

.pdata Size: 4KB - Virtual size: 3KB

.rsrc Size: 25KB - Virtual size: 24KB

42:1a:f2:94:09:84:19:1f:52:0a:4b:c6:24:26:a7:4b
Certificate

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

10:70:9d:4f:f5:54:08:d7:30:60:01:d8:ea:91:75:bb
Certificate

1a:f0:66:0e:83:7a:35:a2:cd:92:ec:61:3f:c1:5d:b8
Certificate

bd:1b:1e:45:0b:bd:d5:df:88:67:8e:7d:da:22:3d:17
Certificate

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

4e:b0:87:8f:cc:24:35:36:b2:d8:c9:f7:bf:39:55:77
Certificate

ed:8e:aa:83:28:62:54:38:50:a1:26:c9:ca:40:8e:7a:ca:7b:23:8e:e4:a1:51:f8:ab:39:1a:6b:be:c5:aa:a5
Signer

20:ed:07:9a:27:8a:9e:50:76:6c:9b:af:00:8c:a4:1a:ea:54:37:1f
Signer

.text
Size: 115KB - Virtual size: 115KB

.rdata
Size: 20KB - Virtual size: 19KB

.data
Size: 2KB - Virtual size: 6KB

.pdata
Size: 4KB - Virtual size: 3KB

.rsrc
Size: 25KB - Virtual size: 24KB