Win32/Packed.Obsidium.EF information

The Win32/Packed.Obsidium.EF is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.

DOWNLOAD NOW

6-day free trial available.

What Win32/Packed.Obsidium.EF virus can do?

• Behavioural detection: Executable code extraction – unpacking
• SetUnhandledExceptionFilter detected (possible anti-debug)
• Attempts to connect to a dead IP:Port (1 unique times)
• Yara rule detections observed from a process memory dump/dropped files/CAPE
• Creates RWX memory
• NtSetInformationThread: attempt to hide thread from debugger
• A process attempted to delay the analysis task.
• Dynamic (imported) function loading detected
• Enumerates running processes
• Expresses interest in specific running processes
• Reads data out of its own binary image
• CAPE extracted potentially suspicious content
• Unconventionial binary language: Arabic (Algeria)
• Unconventionial language used in binary resources: Serbian (Latin)
• The binary contains an unknown PE section name indicative of packing
• The binary likely contains encrypted or compressed data.
• Authenticode signature is invalid
• Deletes its original binary from disk
• Sniffs keystrokes
• Installs an hook procedure to monitor for mouse events
• Checks for the presence of known windows from debuggers and forensic tools
• Installs itself for autorun at Windows startup
• Checks for the presence of known devices from debuggers and forensic tools
• Detects VirtualBox through the presence of a device
• Creates a copy of itself
• Anomalous binary characteristics

How to determine Win32/Packed.Obsidium.EF?

File Info:
name: E1B09E61B51B90E7295E.mlw
path: /opt/CAPEv2/storage/binaries/39d4a8b10698989af35f338e05506318e949568582fbf613a54a28b559f28b2e
crc32: 74CA6B34
md5: e1b09e61b51b90e7295e2e9ba28672a1
sha1: 439cdff507b3ea0a293b24041c7f8c9cd1903372
sha256: 39d4a8b10698989af35f338e05506318e949568582fbf613a54a28b559f28b2e
sha512: 55031948d11b727f0fc98d0f3e1fd2c31a4a288d5656e7b2a4b56c8e7f3a5206f2abf829d77a258922c1828c311623094e1e67df5531b315e2f0075936e9520b
ssdeep: 98304:aXkLRhHPZKQphy6s14CJZ/dmgPmaKH83Wx5ZxgWNBc:acp33RsiC5m4H3WxzbQ
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T1CF2633117BA611CBF427BB3064F222036335FC74EBADE71F89886553DD26448ADA73A1
sha3_384: 44d261a35975e78b9c321cfd457d031c2e506f9f368afa8cf3a3c063d29df363556ffa9edfe27cb735c0e91c53506b80
ep_bytes: eb05f69d6d6f1350eb0563b1ef785ee8
timestamp: 2021-06-30 02:16:18

Version Info:
CompanyName: Realtek Semiconductor
FileDescription: Realtek HD audio menadžer
FileVersion: 1, 0, 0, 9
InternalName: EP.exe
LegalCopyright: 2017 (c) Realtek Semiconductor.  All rights reserved.
OriginalFilename: EP.exe
ProductName: Realtek HD audio menadžer
ProductVersion: 1, 0, 0, 9
Translation: 0x0419 0x04e4

Win32/Packed.Obsidium.EF also known as:

How to remove Win32/Packed.Obsidium.EF?

• Download and install GridinSoft Anti-Malware.
• Open GridinSoft Anti-Malware and perform a “Standard scan“.
• “Move to quarantine” all items.
• Open “Tools” tab – Press “Reset Browser Settings“.
• Select proper browser and options – Click “Reset”.
• Restart your computer.