cheer[.]exe | Triage

Sharing

General

Target

cheer.exe
Size

341KB
MD5

4812b2ed4de7e3d6cb982379bc4643bf
SHA1

e57a8fd6f14f85a047a2491dc04bb1576d5f64b5
SHA256

70279f05dc5d5fa9fe2c4ffdb929b87240c188553b8f2b5d9c79d815d7594779
SHA512

6a353451136e802c79eaa397a70aa4bb56b62d2c5a62b2ae6064fb2e73b0fff3b18a674a37d856fb13f9d64614ba3ae7ca2ad65b933d006d92820db472c1bf91
SSDEEP

6144:mnEqPOcmbPkFznPYqMEccwVwguPMehHMUYQYfkukH0:MWcmbPkFznP9cc/0ehgPfxkH0

Score

9^/10

Malware Config

Signatures

Detected Nirsoft tools 1 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
sample	Nirsoft

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
cheer.exe

Files

cheer.exe
.dll windows:5 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

c:\depot\UnrealEngine3-PhysX\Tools\PhysXExtensions\bin\win32\PhysXExtensions.pdb

Exports

Exports

NxCreateExtension
NxReleaseExtension

Sections

.text
Size: 105KB - Virtual size: 105KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 22KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 10KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

PEinject
Size: 98KB - Virtual size: 97KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE