Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
obs64.scr.exe

Overview

General Information

Sample Name:obs64.scr.exe
Analysis ID:756108
MD5:8a43b78256248131b7ef4ec9ce5dc5c2
SHA1:50ee27c73291e0a5027d29fde20571ab66d9e5fa
SHA256:e93832ec29ff60c65860876dc6f06ddc6374be8179385c48316d4469c3225e4f
Tags:exe

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Hides threads from debuggers
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to evade analysis by execution special instruction (VM detection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for sample
PE file contains section with special chars
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
PE file contains an invalid checksum
Checks if the current process is being debugged
PE file contains sections with non-standard names
PE file contains executable resources (Code or Archives)
Program does not show much activity (idle)
Entry point lies outside standard sections

Classification

  • System is w10x64
  • obs64.scr.exe (PID: 344 cmdline: C:\Users\user\Desktop\obs64.scr.exe MD5: 8A43B78256248131B7EF4EC9CE5DC5C2)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: obs64.scr.exeReversingLabs: Detection: 26%
Source: obs64.scr.exeVirustotal: Detection: 33%Perma Link
Source: obs64.scr.exeJoe Sandbox ML: detected
Source: obs64.scr.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: obs64.scr.exe, 00000000.00000002.267362662.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.airc.privt.com/tutorials/irc_commands2Incomplete
Source: obs64.scr.exe, 00000000.00000002.269175109.0000000000EBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

barindex
Source: obs64.scr.exeStatic PE information: section name: .>v+
Source: obs64.scr.exeStatic PE information: section name: .ch{
Source: obs64.scr.exeStatic PE information: section name: .eM[
Source: obs64.scr.exeStatic PE information: section name: .Zm#
Source: obs64.scr.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: obs64.scr.exeStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: obs64.scr.exeReversingLabs: Detection: 26%
Source: obs64.scr.exeVirustotal: Detection: 33%
Source: C:\Users\user\Desktop\obs64.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\obs64.scr.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\Desktop\obs64.scr.exeFile created: C:\Users\user\Desktop\obs64.scr.sCrJump to behavior
Source: classification engineClassification label: mal72.evad.winEXE@1/0@0/0
Source: obs64.scr.exeStatic file information: File size 9445713 > 1048576
Source: obs64.scr.exeStatic PE information: Raw size of .eM[ is bigger than: 0x100000 < 0x4bae00
Source: obs64.scr.exeStatic PE information: real checksum: 0x4bf9ac should be: 0x910cf0
Source: obs64.scr.exeStatic PE information: section name: .>v+
Source: obs64.scr.exeStatic PE information: section name: .ch{
Source: obs64.scr.exeStatic PE information: section name: .eM[
Source: obs64.scr.exeStatic PE information: section name: .Zm#
Source: initial sampleStatic PE information: section where entry point is pointing to: .eM[
Source: initial sampleStatic PE information: section name: .Zm# entropy: 7.423947252129793

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Users\user\Desktop\obs64.scr.exeMemory written: PID: 344 base: D80007 value: E9 7B 4C 05 77 Jump to behavior
Source: C:\Users\user\Desktop\obs64.scr.exeMemory written: PID: 344 base: 77DD4C80 value: E9 8E B3 FA 88 Jump to behavior
Source: C:\Users\user\Desktop\obs64.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\obs64.scr.exeSpecial instruction interceptor: First address: 0000000000B7380B instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\obs64.scr.exeRDTSC instruction interceptor: First address: 0000000000ACF024 second address: 0000000000ACF036 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop ebx 0x00000004 dec ebp 0x00000005 mov edi, edx 0x00000007 inc cx 0x00000009 movzx ebx, cl 0x0000000c lahf 0x0000000d pop ebp 0x0000000e dec ebp 0x0000000f movsx edx, ax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\obs64.scr.exeRDTSC instruction interceptor: First address: 0000000000B408CD second address: 0000000000B408D1 instructions: 0x00000000 rdtsc 0x00000002 pop ebp 0x00000003 pop ecx 0x00000004 rdtsc
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\obs64.scr.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\obs64.scr.exeSystem information queried: ModuleInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\Desktop\obs64.scr.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\obs64.scr.exeSystem information queried: KernelDebuggerInformationJump to behavior
Source: C:\Users\user\Desktop\obs64.scr.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\obs64.scr.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\Desktop\obs64.scr.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\Desktop\obs64.scr.exeProcess queried: DebugPortJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Masquerading
1
Credential API Hooking
32
Security Software Discovery
Remote Services1
Credential API Hooking
Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts12
Virtualization/Sandbox Evasion
1
Input Capture
12
Virtualization/Sandbox Evasion
Remote Desktop Protocol1
Input Capture
Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
Software Packing
Security Account Manager1
Process Discovery
SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Obfuscated Files or Information
NTDS22
System Information Discovery
Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
obs64.scr.exe27%ReversingLabsWin32.Trojan.Generic
obs64.scr.exe33%VirustotalBrowse
obs64.scr.exe100%Joe Sandbox ML
No Antivirus matches
SourceDetectionScannerLabelLinkDownload
0.2.obs64.scr.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.0.obs64.scr.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
No Antivirus matches
SourceDetectionScannerLabelLink
http://www.airc.privt.com/tutorials/irc_commands2Incomplete0%VirustotalBrowse
http://www.airc.privt.com/tutorials/irc_commands2Incomplete0%Avira URL Cloudsafe
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://www.airc.privt.com/tutorials/irc_commands2Incompleteobs64.scr.exe, 00000000.00000002.267362662.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
No contacted IP infos
Joe Sandbox Version:36.0.0 Rainbow Opal
Analysis ID:756108
Start date and time:2022-11-29 16:40:55 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 8s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:obs64.scr.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal72.evad.winEXE@1/0@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
  • Excluded domains from analysis (whitelisted): fs.microsoft.com
No simulations
No context
No context
No context
No context
No context
No created / dropped files found
File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.983219202559223
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • VXD Driver (31/22) 0.00%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:obs64.scr.exe
File size:9445713
MD5:8a43b78256248131b7ef4ec9ce5dc5c2
SHA1:50ee27c73291e0a5027d29fde20571ab66d9e5fa
SHA256:e93832ec29ff60c65860876dc6f06ddc6374be8179385c48316d4469c3225e4f
SHA512:761dcbadb99091f89ff9ef21993bfa462d3bc7da84f940e5ba8043fce8122e2be02ba729f42ed74ba09db57b24876d891bb2b7594c81ea4bbd373b6848026467
SSDEEP:196608:z/pTRauTO0mU3CowPV0rjTuVcF06BDQ0tTdG5nzC0tt:91hOHUjwCjuVcF06TY5nzn
TLSH:FE9633B6639904D6E1C5C8328937BDE6B1F5032B9F41E870E9CA6DC56C12AF6D382D13
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...................................,To...........@...................................K.............................`.y.O..
Icon Hash:00828e8e8686b000
Entrypoint:0xaf542c
Entrypoint Section:.eM[
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:1
File Version Major:5
File Version Minor:1
Subsystem Version Major:5
Subsystem Version Minor:1
Import Hash:801fe4064ba15978bca5b90b38949cd8
Instruction
call 00007F1548C96A88h
mov eax, dword ptr [esi]
adc dl, 00000050h
mov dl, byte ptr [esi+04h]
clc
cmp edi, 4CED09E2h
lea esi, dword ptr [esi+00000006h]
test ecx, 6B8C62F0h
mov byte ptr [eax], dl
adc al, 28h
sar eax, 6Ah
sub edi, 00000004h
mov eax, dword ptr [edi]
xor eax, ebx
stc
neg eax
stc
clc
cmp edi, 4E93567Fh
add eax, 5AA12BACh
stc
cmc
rol eax, 1
cmp dh, FFFFFFB4h
cmp dx, si
xor eax, 1B091CA6h
dec eax
xor ebx, eax
jmp 00007F154897EB3Ah
mov ecx, dword ptr [esi]
add ax, di
not ah
sub ax, 00004291h
mov eax, dword ptr [esi+04h]
test esp, esi
jmp 00007F1548C19050h
mov word ptr [edi+04h], ax
movsx ecx, dx
pushfd
setno cl
pop dword ptr [edi]
btr cx, di
bsf cx, bp
or ecx, edx
lea ebp, dword ptr [ebp-00000004h]
sar cl, 0000003Bh
neg ch
mov ecx, dword ptr [ebp+00h]
xor ecx, ebx
not ecx
jmp 00007F15489B7B98h
jmp 00007F154892C5D9h
inc cx
movzx eax, byte ptr [esp]
inc bp
shrd ebx, edi, 000000C4h
inc cx
bt ebx, 26h
dec ecx
sbb ebx, 3F124795h
inc ebp
mov cl, byte ptr [esp+02h]
inc ecx
sal bl, FFFFFFDBh
inc sp
bsr ebx, esi
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x79ab600xc4f.eM[
IMAGE_DIRECTORY_ENTRY_IMPORT0x351c0c0x64.eM[
IMAGE_DIRECTORY_ENTRY_RESOURCE0x80d0000x21c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x3500000x38.ch{
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xccfc40x0False0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0xce0000xa3dc0x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.>v+0xd90000x2760c40x0unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.ch{0x3500000x6a00x800False0.03173828125data0.17722768238445855IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.eM[0x3510000x4bad600x4bae00unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.Zm#0x80c0000x5a00x600False0.91015625data7.423947252129793IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc0x80d0000x21c0x400False0.2841796875data1.8158983569130027IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountry
RT_VERSION0x80d0580x1c4ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970GermanGermany
DLLImport
mSvbVm60.dLl__vbaR8FixI4
KERNEL32.dllGetSystemTimeAsFileTime
USER32.dllCharUpperBuffW
KERNEL32.dllLocalAlloc, LocalFree, GetModuleFileNameW, ExitProcess, LoadLibraryA, GetModuleHandleA, GetProcAddress
Language of compilation systemCountry where language is spokenMap
GermanGermany
No network behavior found

Click to jump to process

Click to jump to process

Click to dive into process behavior distribution

Target ID:0
Start time:16:41:54
Start date:29/11/2022
Path:C:\Users\user\Desktop\obs64.scr.exe
Wow64 process (32bit):true
Commandline:C:\Users\user\Desktop\obs64.scr.exe
Imagebase:0x400000
File size:9445713 bytes
MD5 hash:8A43B78256248131B7EF4EC9CE5DC5C2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Visual Basic
Reputation:low

No disassembly