General

Malware Config

Signatures

Files

• EacDriverBE.zip

  .zip
• EacDriverBE.exe

  .exe windows:4 windows x86 arch:x86

  f34d5f2d4577ed6d9ceec516c1f5a744

  
  

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  IMAGE_DLLCHARACTERISTICS_NO_SEH

  IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_32BIT_MACHINE

  PDB Paths

  C:/Users/moon/moon/moon/moon.pdb

  Imports

  mscoree

  _CorExeMain

  Sections

  .text

  Size: 9KB - Virtual size: 8KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rsrc

  Size: 1KB - Virtual size: 1KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 512B - Virtual size: 24B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

• obs.exe

  .exe windows:6 windows x64 arch:x64

  0f06398ad1d4ae2e635b8ebb169c257b

  
  

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_LARGE_ADDRESS_AWARE

  PDB Paths

  C:\root\newdump\dump\driverFN rebrands\DriverFN Diaprotected\Output\obs.pdb

  Imports

  kernel32

  AcquireSRWLockExclusive

  ReleaseSRWLockExclusive

  GetFileSizeEx

  FormatMessageA

  WaitForMultipleObjects

  PeekNamedPipe

  ReadFile

  GetFileType

  GetEnvironmentVariableA

  WaitForSingleObjectEx

  MoveFileExA

  GetTickCount

  VerifyVersionInfoA

  GetSystemDirectoryA

  SleepEx

  LeaveCriticalSection

  EnterCriticalSection

  LocalFree

  SetLastError

  DeleteCriticalSection

  InitializeCriticalSectionEx

  GetProcessHeap

  UnhandledExceptionFilter

  HeapFree

  HeapReAlloc

  HeapAlloc

  HeapDestroy

  IsDebuggerPresent

  CreateThread

  CreateEventW

  SetEvent

  OutputDebugStringW

  GetSystemInfo

  VirtualQuery

  VirtualFree

  VirtualAlloc

  FlushInstructionCache

  SetThreadContext

  GetThreadContext

  RtlLookupFunctionEntry

  SuspendThread

  GetCurrentThreadId

  Process32NextW

  Process32FirstW

  QueryFullProcessImageNameW

  GetModuleHandleW

  GetModuleFileNameA

  IsWow64Process

  UnmapViewOfFile

  VirtualFreeEx

  MapViewOfFile

  CreateFileMappingW

  WriteProcessMemory

  ReadProcessMemory

  VirtualProtectEx

  VirtualAllocEx

  VirtualProtect

  OpenProcess

  GetCurrentThread

  CreateRemoteThread

  GetExitCodeProcess

  GetCurrentProcessId

  GetCurrentProcess

  GetLastError

  GetFileAttributesW

  CreateFileW

  SetUnhandledExceptionFilter

  TerminateProcess

  IsProcessorFeaturePresent

  GlobalAlloc

  WakeAllConditionVariable

  SleepConditionVariableSRW

  GetSystemTimeAsFileTime

  InitializeSListHead

  Process32Next

  Process32First

  CreateToolhelp32Snapshot

  SetConsoleTextAttribute

  Sleep

  DeviceIoControl

  CloseHandle

  CreateFileA

  GetStdHandle

  LoadLibraryA

  GetProcAddress

  GetModuleHandleA

  FreeLibrary

  QueryPerformanceFrequency

  QueryPerformanceCounter

  VerSetConditionMask

  RtlCaptureContext

  ResumeThread

  WideCharToMultiByte

  MultiByteToWideChar

  RtlVirtualUnwind

  GlobalFree

  GlobalLock

  GlobalUnlock

  HeapSize

  user32

  TranslateMessage

  LoadCursorA

  ScreenToClient

  ClientToScreen

  GetCursorPos

  SetCursor

  SetCursorPos

  GetClientRect

  GetForegroundWindow

  GetSystemMetrics

  FindWindowA

  FindWindowW

  DispatchMessageA

  DestroyWindow

  GetAsyncKeyState

  MessageBoxA

  GetKeyState

  OpenClipboard

  CloseClipboard

  SetClipboardData

  GetClipboardData

  EmptyClipboard

  msvcp140

  ?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ

  ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@_JH@Z

  ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z

  ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ

  ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z

  ?fail@ios_base@std@@QEBA_NXZ

  ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A

  ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A

  ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A

  ?id@?$ctype@D@std@@2V0locale@2@A

  ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ

  ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z

  ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ

  ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z

  ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z

  ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@PEBX@Z

  ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z

  ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z

  ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ

  ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ

  ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z

  ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z

  ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ

  ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z

  ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ

  ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ

  ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ

  ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z

  ?setf@ios_base@std@@QEAAHHH@Z

  ?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ

  ?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z

  ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z

  ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ

  ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z

  ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z

  ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z

  ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ

  ?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ

  ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ

  ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z

  ?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ

  ?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ

  ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ

  ?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ

  ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z

  ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z

  ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ

  ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ

  ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ

  ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ

  ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z

  ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z

  ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ

  ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ

  ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ

  ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ

  ?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z

  ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ

  ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ

  ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ

  ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z

  ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ

  ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z

  ?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z

  ?_Xbad_function_call@std@@YAXXZ

  ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ

  ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z

  ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ

  ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ

  ?width@ios_base@std@@QEAA_J_J@Z

  ?width@ios_base@std@@QEBA_JXZ

  ?flags@ios_base@std@@QEBAHXZ

  ?good@ios_base@std@@QEBA_NXZ

  ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z

  ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z

  ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z

  ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z

  ?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z

  ?is@?$ctype@D@std@@QEBA_NFD@Z

  ?always_noconv@codecvt_base@std@@QEBA_NXZ

  ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ

  ??Bid@locale@std@@QEAA_KXZ

  ?_Throw_Cpp_error@std@@YAXH@Z

  _Cnd_do_broadcast_at_thread_exit

  _Thrd_detach

  _Query_perf_frequency

  _Query_perf_counter

  ?uncaught_exceptions@std@@YAHXZ

  ??1_Lockit@std@@QEAA@XZ

  ??0_Lockit@std@@QEAA@H@Z

  ?_Xout_of_range@std@@YAXPEBD@Z

  ?_Xlength_error@std@@YAXPEBD@Z

  ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z

  ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z

  ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z

  ntdll

  RtlFreeHeap

  NtReadFile

  NtMapViewOfSection

  NtCreateSection

  NtCreateFile

  NtClose

  RtlImageNtHeaderEx

  RtlDosPathNameToRelativeNtPathName_U_WithStatus

  RtlReleaseRelativeName

  NtQuerySystemInformation

  NtUnmapViewOfSection

  NtLoadDriver

  NtUnloadDriver

  NtDeviceIoControlFile

  RtlAllocateHeap

  RtlCreateRegistryKey

  NtRaiseHardError

  RtlAddFunctionTable

  RtlGetFullPathName_UEx

  RtlAdjustPrivilege

  RtlWriteRegistryValue

  RtlInitUnicodeString

  imm32

  ImmReleaseContext

  ImmSetCompositionWindow

  ImmSetCandidateWindow

  ImmGetContext

  d3dcompiler_43

  D3DCompile

  dwmapi

  DwmExtendFrameIntoClientArea

  d3dx11_43

  D3DX11CreateShaderResourceViewFromMemory

  d3d11

  D3D11CreateDeviceAndSwapChain

  psapi

  GetModuleInformation

  normaliz

  IdnToAscii

  wldap32

  ord46

  ord301

  ord200

  ord30

  ord79

  ord35

  ord33

  ord32

  ord27

  ord26

  ord22

  ord41

  ord143

  ord45

  ord60

  ord211

  ord50

  ord217

  crypt32

  CertFreeCertificateChain

  CertGetCertificateChain

  CertFreeCertificateChainEngine

  CertOpenStore

  CertCreateCertificateChainEngine

  CryptQueryObject

  CertGetNameStringA

  CertFindExtension

  CertAddCertificateContextToStore

  CryptDecodeObjectEx

  PFXImportCertStore

  CryptStringToBinaryA

  CertFreeCertificateContext

  CertFindCertificateInStore

  CertEnumCertificatesInStore

  CertCloseStore

  ws2_32

  ntohs

  htons

  getsockname

  getpeername

  WSAGetLastError

  ntohl

  gethostname

  sendto

  connect

  bind

  closesocket

  recv

  send

  recvfrom

  getsockopt

  setsockopt

  socket

  WSASetLastError

  WSAIoctl

  WSAStartup

  WSACleanup

  accept

  htonl

  listen

  ioctlsocket

  __WSAFDIsSet

  select

  getaddrinfo

  freeaddrinfo

  rpcrt4

  UuidToStringA

  UuidCreate

  RpcStringFreeA

  userenv

  UnloadUserProfile

  vcruntime140

  __current_exception_context

  __current_exception

  strrchr

  strchr

  __C_specific_handler

  _CxxThrowException

  __std_exception_copy

  strstr

  memmove

  memcmp

  memchr

  __std_terminate

  memcpy

  memset

  __std_exception_destroy

  vcruntime140_1

  __CxxFrameHandler4

  api-ms-win-crt-runtime-l1-1-0

  _initialize_narrow_environment

  _register_onexit_function

  __sys_nerr

  _crt_atexit

  _getpid

  _cexit

  _seh_filter_exe

  _set_app_type

  strerror

  _get_initial_narrow_environment

  _configure_narrow_argv

  _initterm

  exit

  _initterm_e

  _resetstkoflw

  _exit

  _invalid_parameter_noinfo

  __p___argc

  __p___argv

  _c_exit

  _register_thread_local_exe_atexit_callback

  terminate

  _beginthreadex

  _errno

  _initialize_onexit_table

  _invalid_parameter_noinfo_noreturn

  api-ms-win-crt-string-l1-1-0

  strncmp

  _strdup

  wcslen

  _wcsicmp

  strlen

  _stricmp

  strcmp

  tolower

  strpbrk

  strcspn

  strspn

  isupper

  strncpy

  wcscat_s

  wcscpy_s

  api-ms-win-crt-heap-l1-1-0

  malloc

  _set_new_mode

  free

  realloc

  calloc

  _callnewh

  api-ms-win-crt-stdio-l1-1-0

  _write

  _popen

  __stdio_common_vsscanf

  fgets

  _close

  __p__commode

  _open

  _read

  __stdio_common_vsnprintf_s

  __stdio_common_vsprintf_s

  __stdio_common_vsprintf

  fwrite

  ungetc

  setvbuf

  _fseeki64

  fsetpos

  fputc

  fgetpos

  fgetc

  _get_stream_buffer_pointers

  __acrt_iob_func

  _set_fmode

  __stdio_common_vfprintf

  fopen

  fputs

  feof

  ftell

  fseek

  fread

  _lseeki64

  __stdio_common_vswprintf

  fflush

  fclose

  _wfopen

  _pclose

  api-ms-win-crt-utility-l1-1-0

  rand

  qsort

  api-ms-win-crt-math-l1-1-0

  fabs

  logf

  pow

  __setusermatherr

  log

  asin

  atan2

  _dclass

  cosf

  sqrt

  powf

  sinf

  ceilf

  acosf

  sqrtf

  roundf

  tanf

  api-ms-win-crt-convert-l1-1-0

  strtoll

  strtol

  strtoull

  atoi

  atof

  strtod

  strtoul

  api-ms-win-crt-filesystem-l1-1-0

  _unlock_file

  _fstat64

  _stat64

  _unlink

  _access

  _lock_file

  api-ms-win-crt-time-l1-1-0

  _time64

  _gmtime64

  api-ms-win-crt-locale-l1-1-0

  localeconv

  _configthreadlocale

  advapi32

  CryptReleaseContext

  OpenProcessToken

  AdjustTokenPrivileges

  LookupPrivilegeValueW

  RegCloseKey

  RegCreateKeyExW

  RegSetValueExW

  AddAccessAllowedAce

  GetLengthSid

  GetTokenInformation

  InitializeAcl

  IsValidSid

  GetUserNameA

  SetSecurityInfo

  CopySid

  ConvertSidToStringSidA

  CryptAcquireContextA

  CryptGetHashParam

  CryptGenRandom

  CryptCreateHash

  CryptHashData

  CryptEncrypt

  CryptImportKey

  CryptDestroyKey

  CryptDestroyHash

  shell32

  ShellExecuteA

  Sections

  .text

  Size: 1.7MB - Virtual size: 1.7MB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rdata

  Size: 174KB - Virtual size: 174KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .data

  Size: 4.6MB - Virtual size: 4.6MB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .pdata

  Size: 34KB - Virtual size: 34KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .UD

  Size: 512B - Virtual size: 1B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .detourc

  Size: 8KB - Virtual size: 8KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .detourd

  Size: 512B - Virtual size: 24B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  _RDATA

  Size: 512B - Virtual size: 464B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .rsrc

  Size: 5KB - Virtual size: 4KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 4KB - Virtual size: 4KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ