98d75ab9e5f8f973a2a8bab1d92b7c3a6d13d636a98604477becb508c4f24973_NeikiAnalytics[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

98d75ab9e5f8f973a2a8bab1d92b7c3a6d13d636a98604477becb508c4f24973_NeikiAnalytics.exe
Size

664KB
MD5

77ff81088439d0348a5280ee462b26f0
SHA1

b62de756198239959739e3805ea443a0770f1f16
SHA256

98d75ab9e5f8f973a2a8bab1d92b7c3a6d13d636a98604477becb508c4f24973
SHA512

b0d06d7dcda2cc2f02d727cebfa3bfee1d78fc7afdf7c8e58d3a041f63a4e1c9b7f93d10e5ee54804ebde16889650d71a5d9fb1577b6e592e2b925440488c7b9
SSDEEP

12288:O2ZRx20xfdFMjzcJgGagn1MBHsBYKbx11ZhgpXPrYw75/choKFK6O3C9ljU:RbDLMj8gwn1MBM9bx1mNrYw7JchXFyIl

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs
Detects executables packed with VMProtect commercial packer.
vmprotect

Processes:

resource yara_rule

sample vmprotect
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

98d75ab9e5f8f973a2a8bab1d92b7c3a6d13d636a98604477becb508c4f24973_NeikiAnalytics.exe

resource	yara_rule
sample	vmprotect

resource
98d75ab9e5f8f973a2a8bab1d92b7c3a6d13d636a98604477becb508c4f24973_NeikiAnalytics.exe

Files

98d75ab9e5f8f973a2a8bab1d92b7c3a6d13d636a98604477becb508c4f24973_NeikiAnalytics.exe
.exe windows:5 windows x86 arch:x86

0b1f3e23ecb3e6b81ddc571fe0613e49

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

D:\WorkCode\TPSP\Tpsp独立版本\Source\Bin\Release\TpspCln\TpspCln.pdb

Imports

kernel32

Sleep
GetEnvironmentVariableA
VirtualAlloc
CreateFileMappingA
OpenFileMappingA
SetFileTime
GetFileAttributesA
GetFileAttributesW
ReadFile
CreateFileW
lstrcatA
DeviceIoControl
lstrcpyW
SetLastError
FindResourceA
FreeResource
LoadResource
WaitForSingleObject
GetSystemWow64DirectoryA
SizeofResource
CreateEventA
CreateProcessA
GetSystemDirectoryA
GetProcAddress
ResetEvent
GetLocalTime
GetExitCodeThread
LockResource
GetSystemInfo
CreatePipe
GetModuleHandleA
GetVersionExA
WinExec
FreeLibrary
GetProcessHeap
IsBadReadPtr
LoadLibraryA
VirtualProtect
GetModuleHandleW
GetSystemDirectoryW
LoadLibraryW
GetCurrentThreadId
InterlockedIncrement
ExpandEnvironmentStringsA
LocalAlloc
ResumeThread
SetFilePointer
SystemTimeToFileTime
CreateDirectoryA
GetCurrentDirectoryA
LocalFileTimeToFileTime
GetDriveTypeA
GetPrivateProfileStringA
GetModuleFileNameA
GetFileSize
WaitNamedPipeW
ReadProcessMemory
SetNamedPipeHandleState
VirtualFreeEx
VirtualAllocEx
SleepEx
lstrlenW
TerminateProcess
CreateProcessW
WriteProcessMemory
VirtualProtectEx
DuplicateHandle
VirtualFree
GetCurrentDirectoryW
GetModuleFileNameW
GetVersion
VirtualQueryEx
GetCurrentThread
CreateRemoteThread
GetWindowsDirectoryW
CreateFileMappingW
CreateMutexW
OpenMutexW
OpenFileMappingW
CreateEventW
OpenEventW
ExitThread
FlushInstructionCache
ReleaseMutex
GetThreadContext
InterlockedCompareExchange
SetEndOfFile
GetDriveTypeW
SetEnvironmentVariableA
CompareStringW
GetTimeZoneInformation
InterlockedExchange
GetStringTypeW
GetFullPathNameA
QueryPerformanceCounter
GetEnvironmentStringsW
FreeEnvironmentStringsW
FlushFileBuffers
UnmapViewOfFile
MapViewOfFile
FindClose
lstrcpyA
LocalFree
FormatMessageA
GetTickCount
lstrlenA
FileTimeToLocalFileTime
CreateToolhelp32Snapshot
Process32Next
lstrcmpiA
FileTimeToSystemTime
OpenProcess
GetProcessTimes
Process32First
WriteFile
WaitNamedPipeA
CreateFileA
GetSystemTime
GetCurrentProcessId
CloseHandle
CreateMutexA
GetLastError
MultiByteToWideChar
WideCharToMultiByte
ExitProcess
OutputDebugStringA
DeleteCriticalSection
AddVectoredExceptionHandler
EnterCriticalSection
HeapCreate
LeaveCriticalSection
InitializeCriticalSection
HeapFree
GetCurrentProcess
HeapAlloc
VirtualQuery
LCMapStringW
GetConsoleMode
GetConsoleCP
GetStartupInfoW
SetHandleCount
InitializeCriticalSectionAndSpinCount
SetStdHandle
HeapSize
IsValidCodePage
GetOEMCP
GetACP
GetCPInfo
RaiseException
InterlockedDecrement
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
IsProcessorFeaturePresent
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlUnwind
FindFirstFileExA
HeapSetInformation
GetCommandLineA
HeapReAlloc
GetStdHandle
WriteConsoleW
GetFileType
PeekNamedPipe
GetFileInformationByHandle
MoveFileA
CreateThread
DecodePointer
EncodePointer
GetSystemTimeAsFileTime
GetVersionExW
GetModuleFileNameW
GetModuleHandleA
LoadLibraryA
LocalAlloc
LocalFree
GetModuleFileNameA
ExitProcess

user32

GetUserObjectInformationA
CloseDesktop
LoadIconA
FindWindowExA
SendMessageA
FindWindowA
wsprintfA
CharNextA
SetTimer
KillTimer
GetParent
EnumWindows
PeekMessageA
GetDesktopWindow
GetSystemMetrics
GetThreadDesktop
GetWindowThreadProcessId
GetMessageA
TranslateMessage
DispatchMessageA
OpenInputDesktop

advapi32

OpenSCManagerA
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
GetLengthSid
GetKernelObjectSecurity
AllocateAndInitializeSid
FreeSid
GetTokenInformation
LookupPrivilegeValueW
RegCreateKeyExW
RegSetValueExW
RegOpenKeyExW
RegEnumKeyW
RegDeleteKeyW
CreateServiceW
OpenSCManagerW
OpenServiceW
QueryServiceConfigW
QueryServiceStatus
ChangeServiceConfigW
StartServiceW
ControlService
OpenProcessToken
QueryServiceStatusEx
StartServiceA
CreateServiceA
EnumDependentServicesA
DeleteService
CloseServiceHandle
OpenServiceA
RegDeleteValueA
RegEnumKeyExA
RegDeleteKeyA
RegCloseKey
RegOpenKeyA
BuildExplicitAccessWithNameA
RegOpenKeyExA
RegCreateKeyExA
RegQueryValueExA
RegSetValueExA
SetNamedSecurityInfoA
SetEntriesInAclA
AdjustTokenPrivileges
LookupPrivilegeValueA

shell32

SHFileOperationA
Shell_NotifyIconA
ShellExecuteExA

shlwapi

PathIsRootA
PathFindFileNameA
PathStripToRootA
PathRemoveFileSpecA
PathIsDirectoryA
PathFileExistsA
PathAddBackslashA

psapi

GetMappedFileNameA

ws2_32

getsockname
htons
inet_addr
connect
gethostname
WSACleanup
WSAStartup
WSAGetLastError
socket
send
setsockopt
ntohs
bind
getsockopt
getpeername
WSASetLastError
freeaddrinfo
closesocket
recv
gethostbyname
getaddrinfo
__WSAFDIsSet
ioctlsocket
select

imagehlp

CheckSumMappedFile

iphlpapi

GetAdaptersInfo

Sections

.text
Size: - Virtual size: 1.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 161KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: - Virtual size: 26KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 661KB - Virtual size: 661KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 168B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 115KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

0b1f3e23ecb3e6b81ddc571fe0613e49

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

shell32

shlwapi

psapi

ws2_32

imagehlp

iphlpapi

Sections

.text Size: - Virtual size: 1.0MB

.rdata Size: - Virtual size: 161KB

.data Size: - Virtual size: 37KB

.vmp0 Size: - Virtual size: 26KB

.vmp1 Size: 661KB - Virtual size: 661KB

.reloc Size: 512B - Virtual size: 168B

.rsrc Size: 1KB - Virtual size: 115KB

.text
Size: - Virtual size: 1.0MB

.rdata
Size: - Virtual size: 161KB

.data
Size: - Virtual size: 37KB

.vmp0
Size: - Virtual size: 26KB

.vmp1
Size: 661KB - Virtual size: 661KB

.reloc
Size: 512B - Virtual size: 168B

.rsrc
Size: 1KB - Virtual size: 115KB