ScreenShot
| Created | 2022.12.13 17:20 | Machine | s1_win7_x6401 |
| Filename | obs_updater91.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 29 detected (AIDetect, malware1, Zusy, Unsafe, ZexaF, KvZ@aKaKn1p, Attribute, HighConfidence, malicious, high confidence, Kryptik, HRWF, BotX, Generic ML PUA, Redline, score, GenericRXUV, ai score=87, lBiaAqY769S, Genetic) | ||
| md5 | af216e631d1a1b02568bcaed35fe5195 | ||
| sha256 | 9a676c2844b5d990aaf3e34b4c70162ecdaca389d9198cb12b46568af70347a7 | ||
| ssdeep | 24576:MFCYBGcAEbM/sNqshAEhmvIsM/sNqshAEhmvIsM/sNqshAEhmvIsM/sNqshAEhmd:MFCps1hmvIps1hmvIps1hmvIps1hmvIe | ||
| imphash | d829a66cf4812bc6fec5eaec0b3e1b2c | ||
| impfuzzy | 24:kDXepqPZ+fcxO2EneRoeWyM/JoxOov+uTdTrbT9gFQ8RyvrUjZDT4Z3tuqI:6ep0Efc6neRogXEZ8dH1HrmZDcZ3A | ||
Network IP location
Signature (26cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| warning | File has been identified by 29 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local FTP client softwares |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (12cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x49627c FileTimeToSystemTime
0x496280 GetSystemTime
0x496284 LocalAlloc
0x496288 GetProcAddress
0x49628c CompareStringW
0x496290 CompareStringA
0x496294 FlushFileBuffers
0x496298 SetStdHandle
0x49629c DebugBreak
0x4962a0 RaiseException
0x4962a4 GetVersionExA
0x4962a8 LoadLibraryA
0x4962ac DeleteCriticalSection
0x4962b0 EnterCriticalSection
0x4962b4 LeaveCriticalSection
0x4962b8 FatalAppExitA
0x4962bc HeapFree
0x4962c0 RtlUnwind
0x4962c4 IsBadWritePtr
0x4962c8 IsBadReadPtr
0x4962cc HeapValidate
0x4962d0 HeapAlloc
0x4962d4 GetProcessHeap
0x4962d8 GetModuleFileNameA
0x4962dc CloseHandle
0x4962e0 GetCurrentProcess
0x4962e4 FreeLibrary
0x4962e8 GetStdHandle
0x4962ec WriteFile
0x4962f0 InterlockedDecrement
0x4962f4 OutputDebugStringA
0x4962f8 InterlockedIncrement
0x4962fc SetLastError
0x496300 GetModuleHandleA
0x496304 InitializeCriticalSection
0x496308 GetCommandLineA
0x49630c TerminateProcess
0x496310 ExitProcess
0x496314 HeapDestroy
0x496318 HeapCreate
0x49631c VirtualFree
0x496320 VirtualAlloc
0x496324 HeapReAlloc
0x496328 VirtualQuery
0x49632c InterlockedExchange
0x496330 GetLastError
0x496334 TlsAlloc
0x496338 GetCurrentThreadId
0x49633c TlsFree
0x496340 TlsSetValue
0x496344 TlsGetValue
0x496348 GetCurrentThread
0x49634c SetConsoleCtrlHandler
0x496350 UnhandledExceptionFilter
0x496354 FreeEnvironmentStringsA
0x496358 GetEnvironmentStrings
0x49635c FreeEnvironmentStringsW
0x496360 WideCharToMultiByte
0x496364 GetEnvironmentStringsW
0x496368 SetHandleCount
0x49636c GetFileType
0x496370 GetStartupInfoA
0x496374 GetTimeFormatA
0x496378 GetDateFormatA
0x49637c GetCPInfo
0x496380 MultiByteToWideChar
0x496384 GetStringTypeA
0x496388 GetStringTypeW
0x49638c IsValidLocale
0x496390 IsValidCodePage
0x496394 GetLocaleInfoA
0x496398 EnumSystemLocalesA
0x49639c GetUserDefaultLCID
0x4963a0 GetACP
0x4963a4 GetOEMCP
0x4963a8 QueryPerformanceCounter
0x4963ac GetTickCount
0x4963b0 GetCurrentProcessId
0x4963b4 GetSystemTimeAsFileTime
0x4963b8 GetTimeZoneInformation
0x4963bc VirtualProtect
0x4963c0 GetSystemInfo
0x4963c4 LCMapStringA
0x4963c8 LCMapStringW
0x4963cc SetFilePointer
0x4963d0 GetLocaleInfoW
0x4963d4 SetEnvironmentVariableA
WINSPOOL.DRV
0x496448 PrinterProperties
ole32.dll
0x496478 CoFileTimeNow
EAT(Export Address Table) is none
KERNEL32.dll
0x49627c FileTimeToSystemTime
0x496280 GetSystemTime
0x496284 LocalAlloc
0x496288 GetProcAddress
0x49628c CompareStringW
0x496290 CompareStringA
0x496294 FlushFileBuffers
0x496298 SetStdHandle
0x49629c DebugBreak
0x4962a0 RaiseException
0x4962a4 GetVersionExA
0x4962a8 LoadLibraryA
0x4962ac DeleteCriticalSection
0x4962b0 EnterCriticalSection
0x4962b4 LeaveCriticalSection
0x4962b8 FatalAppExitA
0x4962bc HeapFree
0x4962c0 RtlUnwind
0x4962c4 IsBadWritePtr
0x4962c8 IsBadReadPtr
0x4962cc HeapValidate
0x4962d0 HeapAlloc
0x4962d4 GetProcessHeap
0x4962d8 GetModuleFileNameA
0x4962dc CloseHandle
0x4962e0 GetCurrentProcess
0x4962e4 FreeLibrary
0x4962e8 GetStdHandle
0x4962ec WriteFile
0x4962f0 InterlockedDecrement
0x4962f4 OutputDebugStringA
0x4962f8 InterlockedIncrement
0x4962fc SetLastError
0x496300 GetModuleHandleA
0x496304 InitializeCriticalSection
0x496308 GetCommandLineA
0x49630c TerminateProcess
0x496310 ExitProcess
0x496314 HeapDestroy
0x496318 HeapCreate
0x49631c VirtualFree
0x496320 VirtualAlloc
0x496324 HeapReAlloc
0x496328 VirtualQuery
0x49632c InterlockedExchange
0x496330 GetLastError
0x496334 TlsAlloc
0x496338 GetCurrentThreadId
0x49633c TlsFree
0x496340 TlsSetValue
0x496344 TlsGetValue
0x496348 GetCurrentThread
0x49634c SetConsoleCtrlHandler
0x496350 UnhandledExceptionFilter
0x496354 FreeEnvironmentStringsA
0x496358 GetEnvironmentStrings
0x49635c FreeEnvironmentStringsW
0x496360 WideCharToMultiByte
0x496364 GetEnvironmentStringsW
0x496368 SetHandleCount
0x49636c GetFileType
0x496370 GetStartupInfoA
0x496374 GetTimeFormatA
0x496378 GetDateFormatA
0x49637c GetCPInfo
0x496380 MultiByteToWideChar
0x496384 GetStringTypeA
0x496388 GetStringTypeW
0x49638c IsValidLocale
0x496390 IsValidCodePage
0x496394 GetLocaleInfoA
0x496398 EnumSystemLocalesA
0x49639c GetUserDefaultLCID
0x4963a0 GetACP
0x4963a4 GetOEMCP
0x4963a8 QueryPerformanceCounter
0x4963ac GetTickCount
0x4963b0 GetCurrentProcessId
0x4963b4 GetSystemTimeAsFileTime
0x4963b8 GetTimeZoneInformation
0x4963bc VirtualProtect
0x4963c0 GetSystemInfo
0x4963c4 LCMapStringA
0x4963c8 LCMapStringW
0x4963cc SetFilePointer
0x4963d0 GetLocaleInfoW
0x4963d4 SetEnvironmentVariableA
WINSPOOL.DRV
0x496448 PrinterProperties
ole32.dll
0x496478 CoFileTimeNow
EAT(Export Address Table) is none