Download geo drweb com pub dr web windows workstation 10 0 dr web-10 0-ss-win exe

www.oxygen.com.ro

This report is generated from a file or URL submitted to this webservice on July 4th (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 64 bit, Professional, (build ), Service Pack 1
Report generated by Falcon Sandbox v © Hybrid Analysis

Incident Response

Spyware
Hooks API calls
Fingerprint
Reads the active computer name
Evasive
Possibly checks for the presence of an Antivirus engine
The input sample contains a known anti-VM trick

Indicators

Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.

  • Suspicious Indicators 13

  • Anti-Detection/Stealthyness
    • Possibly checks for the presence of an Antivirus engine
      details
      "InsertXAntiVirus" (Indicator: "antivirus")
      "www.oxygen.com.ro" (Indicator: "drweb")
      "APP_DRWEB2" (Indicator: "drweb")
      "DrWebUnix" (Indicator: "drweb")
      "www.oxygen.com.ro" (Indicator: "drweb")
      source
      String
      relevance
      3/10
  • Anti-Reverse Engineering
  • Environment Awareness
    • Reads the active computer name
      details
      "www.oxygen.com.ro" (Path: "HKLM\SYSTEM\CONTROLSET\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
      source
      Registry Access
      relevance
      5/10
  • External Systems
    • Found an IP/URL artifact that was identified as malicious by at least one reputation engine
      details
      1/66 reputation engines marked "www.oxygen.com.ro" as malicious (1% detection rate)
      1/67 reputation engines marked "www.oxygen.com.ro" as malicious (1% detection rate)
      1/68 reputation engines marked "www.oxygen.com.ro" as malicious (1% detection rate)
      2/66 reputation engines marked "www.oxygen.com.ro" as malicious (3% detection rate)
      1/64 reputation engines marked "www.oxygen.com.ro" as malicious (1% detection rate)
      1/67 reputation engines marked "www.oxygen.com.ro" as malicious (1% detection rate)
      1/67 reputation engines marked "www.oxygen.com.ro" as malicious (1% detection rate)
      1/66 reputation engines marked "www.oxygen.com.ro" as malicious (1% detection rate)
      1/66 reputation engines marked "www.oxygen.com.ro" as malicious (1% detection rate)
      source
      External System
      relevance
      10/10
  • General
  • Installation/Persistance
    • Monitors specific registry key for changes
      details
      "www.oxygen.com.ro" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet\services\WinSock2\Parameters\Protocol_Catalog9" (Filter: 1; Subtree: )
      "www.oxygen.com.ro" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet\services\WinSock2\Parameters\NameSpace_Catalog5" (Filter: 1; Subtree: )
      source
      API Call
      relevance
      4/10
  • Network Related
    • Found potential IP address in binary/memory
      details
      ""
      ""
      Heuristic match: ""
      ""
      Heuristic match: ""
      ""
      Heuristic match: ""
      Heuristic match: ""
      ""
      ""
      ""
      source
      String
      relevance
      3/10
  • System Security
    • Hooks API calls
      details
      "SetUnhandledExceptionFilter@KERNELDLL" in "www.oxygen.com.ro"
      source
      Hook Detection
      relevance
      10/10
  • Unusual Characteristics
    • Imports suspicious APIs
      details
      RegCreateKeyExW
      RegCloseKey
      SetSecurityDescriptorDacl
      OpenProcessToken
      RegOpenKeyExW
      RegEnumKeyA
      CreateServiceW
      RegOpenKeyExA
      RegDeleteValueW
      StartServiceW
      StartServiceCtrlDispatcherW
      RegDeleteValueA
      CertDeleteCertificateFromStore
      CreateFileMappingA
      GetFileAttributesW
      UnhandledExceptionFilter
      GetTempPathW
      ConnectNamedPipe
      OutputDebugStringW
      OutputDebugStringA
      DeviceIoControl
      WriteProcessMemory
      GetModuleFileNameW
      IsDebuggerPresent
      GetVersionExA
      GetModuleFileNameA
      LoadLibraryExW
      CreateThread
      DisconnectNamedPipe
      ExitThread
      TerminateProcess
      GetModuleHandleExW
      SleepEx
      LoadLibraryW
      GetVersionExW
      GetTickCount
      VirtualProtect
      LoadLibraryA
      GetFileSize
      OpenProcess
      GetStartupInfoW
      CreateDirectoryW
      DeleteFileW
      GetProcAddress
      GetFileSizeEx
      FindNextFileW
      FindFirstFileW
      FindFirstFileExW
      CreateFileW
      CreateFileA
      CreateFileMappingW
      GetCommandLineW
      GetCommandLineA
      MapViewOfFile
      GetModuleHandleA
      GetModuleHandleW
      CreateProcessA
      WriteFile
      Sleep
      VirtualAlloc
      WSAStartup
      connect
      WSASend
      listen
      WSASocketW
      closesocket
      bind
      source
      Static Parser
      relevance
      1/10
    • Installs hooks/patches the running process
      details
      "www.oxygen.com.ro" wrote bytes "33c0c3" to virtual address "0x76D" ("SetUnhandledExceptionFilter@KERNELDLL")
      source
      Hook Detection
      relevance
      10/10
  • Hiding 3 Suspicious Indicators
    • All indicators are available only in the private webservice or standalone version
  • Informative 9

  • Environment Awareness
  • External Systems
  • General
    • Contains ability to create named pipes for inter-process communication (IPC)
      details
      CreateNamedPipeA@KERNELdll (Show Stream)
      source
      Hybrid Analysis Technology
      relevance
      10/10
    • Sample shows a variety of benign indicators
      details
      The input file/all extracted files were not detected as malicious and the input file is signed with a validated certificate
      source
      Indicator Combinations
      relevance
      10/10
    • The input sample is signed with a certificate
      details
      The input sample is signed with a certificate issued by "CN=DigiCert High Assurance Code Signing CA-1, OU=www.oxygen.com.ro, O=DigiCert Inc, C=US" (SHA1: EA:A5:FF:DC:AAEAD:0C:6DDC:C; see report for more information)
      The input sample is signed with a certificate issued by "CN=Microsoft Code Verification Root, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US" (SHA1: 2FAFDB:0A:3FF:FB:3F:7B:D2:D; see report for more information)
      The input sample is signed with a certificate issued by "CN=DigiCert Assured ID CA-1, OU=www.oxygen.com.ro, O=DigiCert Inc, C=US" (SHA1: DDEFD:E5:DEABD; see report for more information)
      The input sample is signed with a certificate issued by "CN=DigiCert High Assurance EV Root CA, OU=www.oxygen.com.ro, O=DigiCert Inc, C=US" (SHA1: EFDCEA:FE:DDEACAB; see report for more information)
      The input sample is signed with a certificate issued by "CN=DigiCert Assured ID Root CA, OU=www.oxygen.com.ro, O=DigiCert Inc, C=US" (SHA1: AB:5AF4:DDD:FCAAC; see report for more information)
      source
      Certificate Data
      relevance
      10/10
    • The input sample is signed with a valid certificate
      details
      The entire certificate chain of the input sample was validated successfully.
      source
      Certificate Data
      relevance
      10/10
  • Installation/Persistance
  • Network Related
    • Found potential URL in binary/memory
      details
      Heuristic match: "..\src\google\protobuf\stubs\www.oxygen.com.ro"
      Heuristic match: "..\src\google\protobuf\www.oxygen.com.ro"
      Heuristic match: "..\src\google\protobuf\message_www.oxygen.com.ro"
      Heuristic match: "..\src\google\protobuf\text_www.oxygen.com.ro"
      Heuristic match: "..\src\google\protobuf\extension_www.oxygen.com.ro"
      Heuristic match: "..\src\google\protobuf\www.oxygen.com.ro"
      Heuristic match: "..\src\google\protobuf\io\coded_www.oxygen.com.ro"
      Heuristic match: "..\src\google\protobuf\wire_www.oxygen.com.ro"
      Heuristic match: "..\src\google\protobuf\reflection_www.oxygen.com.ro"
      Heuristic match: "..\src\google\protobuf\generated_message_www.oxygen.com.ro"
      Heuristic match: "..\src\google\protobuf\wire_format_www.oxygen.com.ro"
      Heuristic match: "..\src\google\protobuf\www.oxygen.com.ro"
      Heuristic match: "..\src\google\protobuf\descriptor_www.oxygen.com.ro"
      Heuristic match: "..\src\google\protobuf\dynamic_www.oxygen.com.ro"
      Heuristic match: "..\src\google\protobuf\io\www.oxygen.com.ro"
      Heuristic match: "..\src\google\protobuf\io\www.oxygen.com.ro"
      Heuristic match: "..\src\google\protobuf\io\zero_copy_stream_impl_www.oxygen.com.ro"
      Heuristic match: "..\src\google\protobuf\stubs\www.oxygen.com.ro"
      Heuristic match: "..\src\google\protobuf\extension_set_www.oxygen.com.ro"
      Heuristic match: "..\src\google\protobuf\io\zero_copy_www.oxygen.com.ro"
      Pattern match: "www.oxygen.com.ro"
      Pattern match: "www.oxygen.com.ro"
      Pattern match: "www.oxygen.com.ro"
      Pattern match: "www.oxygen.com.ro"
      Pattern match: "www.oxygen.com.ro"
      Pattern match: "www.oxygen.com.ro"
      Pattern match: "www.oxygen.com.ro"
      Pattern match: "www.oxygen.com.ro"
      Heuristic match: "www.oxygen.com.ro"
      Heuristic match: "www.oxygen.com.ro"
      Heuristic match: "www.oxygen.com.ro"
      Heuristic match: "www.oxygen.com.ro"
      Heuristic match: "www.oxygen.com.ro"
      Heuristic match: "..\dws9-proto-files\www.oxygen.com.ro"
      Heuristic match: "..\dws9-proto-files\www.oxygen.com.ro"
      Heuristic match: "..\dws9-proto-files\www.oxygen.com.ro"
      Heuristic match: "..\dws9-proto-files\www.oxygen.com.ro"
      Heuristic match: "..\dws9-proto-files\www.oxygen.com.ro"
      Heuristic match: "..\dws9-proto-files\www.oxygen.com.ro"
      Heuristic match: "..\dws9-proto-files\www.oxygen.com.ro"
      Heuristic match: "..\dws9-proto-files\www.oxygen.com.ro"
      Heuristic match: "..\dws9-proto-files\www.oxygen.com.ro"
      Heuristic match: "..\dws9-proto-files\www.oxygen.com.ro"
      Heuristic match: "..\dws9-proto-files\www.oxygen.com.ro"
      Heuristic match: "..\dws9-proto-files\www.oxygen.com.ro"
      Heuristic match: "..\dws9-proto-files\www.oxygen.com.ro"
      Pattern match: "www.oxygen.com.ro?parentalcontrol_www.oxygen.com.ro"
      Pattern match: "www.oxygen.com.ro?parentalcontrol_www.oxygen.com.ro"
      Pattern match: "www.oxygen.com.ro?url=%hs"
      Pattern match: "www.oxygen.com.ro?spider_www.oxygen.com.ro"
      Pattern match: "www.oxygen.com.ro?u=%hs&vn=%hs"
      Pattern match: "www.oxygen.com.ro?parentalcontrol_www.oxygen.com.ro"
      Pattern match: "www.oxygen.com.ro?lng=en"
      Pattern match: "www.oxygen.com.ro?lng=en"
      Pattern match: "www.oxygen.com.ro?lng=en#white_list"
      Pattern match: "www.oxygen.com.ro?lng=en#white_list"
      Pattern match: "www.oxygen.com.ro#section"
      source
      String
      relevance
      10/10

File Details

File Metadata


  • 27 .LIB Files generated with www.oxygen.com.ro (Visual Studio ) (build: )
  • 1 .C Files (converted from .NET IL) compiled with www.oxygen.com.ro (Visual Studio ) (build: )
  • 4 .OBJ Files (OMF) linked with www.oxygen.com.ro (Visual Studio 5) (build: )
  • 41 .OBJ Files (COFF) linked with www.oxygen.com.ro (Visual Studio 6) (build: )
  • .OBJ Files (OMF) linked with www.oxygen.com.ro (Visual Studio 6) (build: )
  • 43 .OBJ Files (OMF) linked with www.oxygen.com.ro (Visual Studio 6) (build: )
  • 12 .OBJ Files (COFF) linked with www.oxygen.com.ro (Visual Studio 6) (build: )
  • 8 .OBJ Files (OMF) linked with www.oxygen.com.ro (Visual Studio 5) (build: )
  • 8 .OBJ Files linked with www.oxygen.com.ro (Internal www.oxygen.com.ro Tool) (build: )
  • 2 .OBJ Files (OMF) linked with www.oxygen.com.ro (Visual Studio 6) (build: )
  • .OBJ Files (OMF) linked with www.oxygen.com.ro (Visual Studio 6) (build: )
  • 12 .OBJ Files (OMF) linked with www.oxygen.com.ro (Visual Studio 5) (build: )
  • 27 .OBJ Files (COFF) linked with www.oxygen.com.ro (Visual Studio 6) (build: )

File Sections

DetailsNameEntropyVirtual AddressVirtual SizeRaw SizeMD5
Источник: [www.oxygen.com.ro]
.

Обзор и тест www.oxygen.com.ro Security Space 11 windows 10.

Download geo drweb com pub dr web windows workstation 10 0 dr web-10 0-ss-win exe