C:/Users/moon/moon/moon/moon.pdb
Static task
static1
Behavioral task
behavioral1
Sample
EacDriverBE.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
obs.exe
Resource
win10v2004-20240426-en
General
-
Target
EacDriverBE.zip
-
Size
4.7MB
-
MD5
037e1a81299dccb9cfae3f27fda2d046
-
SHA1
52b0fbc930bfb72a4775d39da91c69d46734c00a
-
SHA256
d4fd84db4cd115337bc9d97179df644966942b5f0574e0df6551cf32cfd869a2
-
SHA512
31f4c453a1240f657b627704fb0a4696055b470521bb7652257588e343bb6ea2531650dc8e03ffcd4253058a5b14a4fe5e1011856e97ea3f12439fac959fd312
-
SSDEEP
98304:nrx2fHCQ+pGZf7h4Ps7Fik7PEhJtvtXogrf4EKDTplvgKj1TEjacMfI07Uvs/oqg:AfHCQT7h4U7gk7PEhbZo0f4EKXvgKBmf
Malware Config
Signatures
-
Unsigned PE 2 IoCs
Checks for missing Authenticode signature.
Processes:
resource unpack001/EacDriverBE.exe unpack001/obs.exe
Files
-
EacDriverBE.zip.zip
-
EacDriverBE.exe.exe windows:4 windows x86 arch:x86
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
PDB Paths
Imports
mscoree
_CorExeMain
Sections
.text Size: 9KB - Virtual size: 8KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 24B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
-
obs.exe.exe windows:6 windows x64 arch:x64
0f06398ad1d4ae2e635b8ebb169c257b
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
PDB Paths
C:\root\newdump\dump\driverFN rebrands\DriverFN Diaprotected\Output\obs.pdb
Imports
kernel32
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
GetFileSizeEx
FormatMessageA
WaitForMultipleObjects
PeekNamedPipe
ReadFile
GetFileType
GetEnvironmentVariableA
WaitForSingleObjectEx
MoveFileExA
GetTickCount
VerifyVersionInfoA
GetSystemDirectoryA
SleepEx
LeaveCriticalSection
EnterCriticalSection
LocalFree
SetLastError
DeleteCriticalSection
InitializeCriticalSectionEx
GetProcessHeap
UnhandledExceptionFilter
HeapFree
HeapReAlloc
HeapAlloc
HeapDestroy
IsDebuggerPresent
CreateThread
CreateEventW
SetEvent
OutputDebugStringW
GetSystemInfo
VirtualQuery
VirtualFree
VirtualAlloc
FlushInstructionCache
SetThreadContext
GetThreadContext
RtlLookupFunctionEntry
SuspendThread
GetCurrentThreadId
Process32NextW
Process32FirstW
QueryFullProcessImageNameW
GetModuleHandleW
GetModuleFileNameA
IsWow64Process
UnmapViewOfFile
VirtualFreeEx
MapViewOfFile
CreateFileMappingW
WriteProcessMemory
ReadProcessMemory
VirtualProtectEx
VirtualAllocEx
VirtualProtect
OpenProcess
GetCurrentThread
CreateRemoteThread
GetExitCodeProcess
GetCurrentProcessId
GetCurrentProcess
GetLastError
GetFileAttributesW
CreateFileW
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
GlobalAlloc
WakeAllConditionVariable
SleepConditionVariableSRW
GetSystemTimeAsFileTime
InitializeSListHead
Process32Next
Process32First
CreateToolhelp32Snapshot
SetConsoleTextAttribute
Sleep
DeviceIoControl
CloseHandle
CreateFileA
GetStdHandle
LoadLibraryA
GetProcAddress
GetModuleHandleA
FreeLibrary
QueryPerformanceFrequency
QueryPerformanceCounter
VerSetConditionMask
RtlCaptureContext
ResumeThread
WideCharToMultiByte
MultiByteToWideChar
RtlVirtualUnwind
GlobalFree
GlobalLock
GlobalUnlock
HeapSize
user32
TranslateMessage
LoadCursorA
ScreenToClient
ClientToScreen
GetCursorPos
SetCursor
SetCursorPos
GetClientRect
GetForegroundWindow
GetSystemMetrics
FindWindowA
FindWindowW
DispatchMessageA
DestroyWindow
GetAsyncKeyState
MessageBoxA
GetKeyState
OpenClipboard
CloseClipboard
SetClipboardData
GetClipboardData
EmptyClipboard
msvcp140
?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ
?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@_JH@Z
?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?fail@ios_base@std@@QEBA_NXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?id@?$ctype@D@std@@2V0locale@2@A
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@PEBX@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?setf@ios_base@std@@QEAAHHH@Z
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?_Xbad_function_call@std@@YAXXZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?width@ios_base@std@@QEAA_J_J@Z
?width@ios_base@std@@QEBA_JXZ
?flags@ios_base@std@@QEBAHXZ
?good@ios_base@std@@QEBA_NXZ
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?is@?$ctype@D@std@@QEBA_NFD@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
??Bid@locale@std@@QEAA_KXZ
?_Throw_Cpp_error@std@@YAXH@Z
_Cnd_do_broadcast_at_thread_exit
_Thrd_detach
_Query_perf_frequency
_Query_perf_counter
?uncaught_exceptions@std@@YAHXZ
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Xout_of_range@std@@YAXPEBD@Z
?_Xlength_error@std@@YAXPEBD@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
ntdll
RtlFreeHeap
NtReadFile
NtMapViewOfSection
NtCreateSection
NtCreateFile
NtClose
RtlImageNtHeaderEx
RtlDosPathNameToRelativeNtPathName_U_WithStatus
RtlReleaseRelativeName
NtQuerySystemInformation
NtUnmapViewOfSection
NtLoadDriver
NtUnloadDriver
NtDeviceIoControlFile
RtlAllocateHeap
RtlCreateRegistryKey
NtRaiseHardError
RtlAddFunctionTable
RtlGetFullPathName_UEx
RtlAdjustPrivilege
RtlWriteRegistryValue
RtlInitUnicodeString
imm32
ImmReleaseContext
ImmSetCompositionWindow
ImmSetCandidateWindow
ImmGetContext
d3dcompiler_43
D3DCompile
dwmapi
DwmExtendFrameIntoClientArea
d3dx11_43
D3DX11CreateShaderResourceViewFromMemory
d3d11
D3D11CreateDeviceAndSwapChain
psapi
GetModuleInformation
normaliz
IdnToAscii
wldap32
ord46
ord301
ord200
ord30
ord79
ord35
ord33
ord32
ord27
ord26
ord22
ord41
ord143
ord45
ord60
ord211
ord50
ord217
crypt32
CertFreeCertificateChain
CertGetCertificateChain
CertFreeCertificateChainEngine
CertOpenStore
CertCreateCertificateChainEngine
CryptQueryObject
CertGetNameStringA
CertFindExtension
CertAddCertificateContextToStore
CryptDecodeObjectEx
PFXImportCertStore
CryptStringToBinaryA
CertFreeCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore
ws2_32
ntohs
htons
getsockname
getpeername
WSAGetLastError
ntohl
gethostname
sendto
connect
bind
closesocket
recv
send
recvfrom
getsockopt
setsockopt
socket
WSASetLastError
WSAIoctl
WSAStartup
WSACleanup
accept
htonl
listen
ioctlsocket
__WSAFDIsSet
select
getaddrinfo
freeaddrinfo
rpcrt4
UuidToStringA
UuidCreate
RpcStringFreeA
userenv
UnloadUserProfile
vcruntime140
__current_exception_context
__current_exception
strrchr
strchr
__C_specific_handler
_CxxThrowException
__std_exception_copy
strstr
memmove
memcmp
memchr
__std_terminate
memcpy
memset
__std_exception_destroy
vcruntime140_1
__CxxFrameHandler4
api-ms-win-crt-runtime-l1-1-0
_initialize_narrow_environment
_register_onexit_function
__sys_nerr
_crt_atexit
_getpid
_cexit
_seh_filter_exe
_set_app_type
strerror
_get_initial_narrow_environment
_configure_narrow_argv
_initterm
exit
_initterm_e
_resetstkoflw
_exit
_invalid_parameter_noinfo
__p___argc
__p___argv
_c_exit
_register_thread_local_exe_atexit_callback
terminate
_beginthreadex
_errno
_initialize_onexit_table
_invalid_parameter_noinfo_noreturn
api-ms-win-crt-string-l1-1-0
strncmp
_strdup
wcslen
_wcsicmp
strlen
_stricmp
strcmp
tolower
strpbrk
strcspn
strspn
isupper
strncpy
wcscat_s
wcscpy_s
api-ms-win-crt-heap-l1-1-0
malloc
_set_new_mode
free
realloc
calloc
_callnewh
api-ms-win-crt-stdio-l1-1-0
_write
_popen
__stdio_common_vsscanf
fgets
_close
__p__commode
_open
_read
__stdio_common_vsnprintf_s
__stdio_common_vsprintf_s
__stdio_common_vsprintf
fwrite
ungetc
setvbuf
_fseeki64
fsetpos
fputc
fgetpos
fgetc
_get_stream_buffer_pointers
__acrt_iob_func
_set_fmode
__stdio_common_vfprintf
fopen
fputs
feof
ftell
fseek
fread
_lseeki64
__stdio_common_vswprintf
fflush
fclose
_wfopen
_pclose
api-ms-win-crt-utility-l1-1-0
rand
qsort
api-ms-win-crt-math-l1-1-0
fabs
logf
pow
__setusermatherr
log
asin
atan2
_dclass
cosf
sqrt
powf
sinf
ceilf
acosf
sqrtf
roundf
tanf
api-ms-win-crt-convert-l1-1-0
strtoll
strtol
strtoull
atoi
atof
strtod
strtoul
api-ms-win-crt-filesystem-l1-1-0
_unlock_file
_fstat64
_stat64
_unlink
_access
_lock_file
api-ms-win-crt-time-l1-1-0
_time64
_gmtime64
api-ms-win-crt-locale-l1-1-0
localeconv
_configthreadlocale
advapi32
CryptReleaseContext
OpenProcessToken
AdjustTokenPrivileges
LookupPrivilegeValueW
RegCloseKey
RegCreateKeyExW
RegSetValueExW
AddAccessAllowedAce
GetLengthSid
GetTokenInformation
InitializeAcl
IsValidSid
GetUserNameA
SetSecurityInfo
CopySid
ConvertSidToStringSidA
CryptAcquireContextA
CryptGetHashParam
CryptGenRandom
CryptCreateHash
CryptHashData
CryptEncrypt
CryptImportKey
CryptDestroyKey
CryptDestroyHash
shell32
ShellExecuteA
Sections
.text Size: 1.7MB - Virtual size: 1.7MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 174KB - Virtual size: 174KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 4.6MB - Virtual size: 4.6MB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 34KB - Virtual size: 34KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.UD Size: 512B - Virtual size: 1B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.detourc Size: 8KB - Virtual size: 8KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.detourd Size: 512B - Virtual size: 24B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
_RDATA Size: 512B - Virtual size: 464B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.rsrc Size: 5KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ