Windows Analysis Report
obs64.scr.exe

Overview

General Information

Sample Name: obs64.scr.exe
Analysis ID: 756108
MD5: 8a43b78256248131b7ef4ec9ce5dc5c2
SHA1: 50ee27c73291e0a5027d29fde20571ab66d9e5fa
SHA256: e93832ec29ff60c65860876dc6f06ddc6374be8179385c48316d4469c3225e4f
Tags: exe

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Hides threads from debuggers
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to evade analysis by execution special instruction (VM detection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for sample
PE file contains section with special chars
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
PE file contains an invalid checksum
Checks if the current process is being debugged
PE file contains sections with non-standard names
PE file contains executable resources (Code or Archives)
Program does not show much activity (idle)
Entry point lies outside standard sections

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: obs64.scr.exe ReversingLabs: Detection: 26%
Source: obs64.scr.exe Virustotal: Detection: 33% Perma Link
Machine Learning detection for sample
Source: obs64.scr.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: obs64.scr.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: obs64.scr.exe, 00000000.00000002.267362662.0000000000401000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.airc.privt.com/tutorials/irc_commands2Incomplete
Creates a DirectInput object (often for capturing keystrokes)
Source: obs64.scr.exe, 00000000.00000002.269175109.0000000000EBA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary
barindex
PE file contains section with special chars
Source: obs64.scr.exe Static PE information: section name: .>v+
Source: obs64.scr.exe Static PE information: section name: .ch{
Source: obs64.scr.exe Static PE information: section name: .eM[
Source: obs64.scr.exe Static PE information: section name: .Zm#
Uses 32bit PE files
Source: obs64.scr.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
PE file contains executable resources (Code or Archives)
Source: obs64.scr.exe Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: obs64.scr.exe ReversingLabs: Detection: 26%
Source: obs64.scr.exe Virustotal: Detection: 33%
Source: C:\Users\user\Desktop\obs64.scr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\obs64.scr.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\obs64.scr.exe File created: C:\Users\user\Desktop\obs64.scr.sCr Jump to behavior
Source: classification engine Classification label: mal72.evad.winEXE@1/0@0/0
Source: obs64.scr.exe Static file information: File size 9445713 > 1048576
Source: obs64.scr.exe Static PE information: Raw size of .eM[ is bigger than: 0x100000 < 0x4bae00
PE file contains an invalid checksum
Source: obs64.scr.exe Static PE information: real checksum: 0x4bf9ac should be: 0x910cf0
PE file contains sections with non-standard names
Source: obs64.scr.exe Static PE information: section name: .>v+
Source: obs64.scr.exe Static PE information: section name: .ch{
Source: obs64.scr.exe Static PE information: section name: .eM[
Source: obs64.scr.exe Static PE information: section name: .Zm#
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .eM[
Source: initial sample Static PE information: section name: .Zm# entropy: 7.423947252129793

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Desktop\obs64.scr.exe Memory written: PID: 344 base: D80007 value: E9 7B 4C 05 77 Jump to behavior
Source: C:\Users\user\Desktop\obs64.scr.exe Memory written: PID: 344 base: 77DD4C80 value: E9 8E B3 FA 88 Jump to behavior
Source: C:\Users\user\Desktop\obs64.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Users\user\Desktop\obs64.scr.exe Special instruction interceptor: First address: 0000000000B7380B instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\obs64.scr.exe RDTSC instruction interceptor: First address: 0000000000ACF024 second address: 0000000000ACF036 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop ebx 0x00000004 dec ebp 0x00000005 mov edi, edx 0x00000007 inc cx 0x00000009 movzx ebx, cl 0x0000000c lahf 0x0000000d pop ebp 0x0000000e dec ebp 0x0000000f movsx edx, ax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\obs64.scr.exe RDTSC instruction interceptor: First address: 0000000000B408CD second address: 0000000000B408D1 instructions: 0x00000000 rdtsc 0x00000002 pop ebp 0x00000003 pop ecx 0x00000004 rdtsc
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\obs64.scr.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\obs64.scr.exe System information queried: ModuleInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\obs64.scr.exe Thread information set: HideFromDebugger Jump to behavior
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Source: C:\Users\user\Desktop\obs64.scr.exe System information queried: KernelDebuggerInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\obs64.scr.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\obs64.scr.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\obs64.scr.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\obs64.scr.exe Process queried: DebugPort Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 756108 Sample: obs64.scr.exe Startdate: 29/11/2022 Architecture: WINDOWS Score: 72 8 Multi AV Scanner detection for submitted file 2->8 10 Machine Learning detection for sample 2->10 12 PE file contains section with special chars 2->12 5 obs64.scr.exe 1 2->5         started        process3 signatures4 14 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 5->14 16 Tries to evade analysis by execution special instruction (VM detection) 5->16 18 Tries to detect virtualization through RDTSC time measurements 5->18 20 Hides threads from debuggers 5->20
No contacted IP infos