Play interactive tourEdit tour
Analysis Report MsBDqyJWav.exe
Overview
General Information
Detection
Vidar
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Vidar stealer
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
May check the online IP address of the machine
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file contains strange resources
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Credential Stealer
Classification
Startup |
---|
|
Malware Configuration |
---|
Threatname: Vidar |
---|
{"Config: ": ["00000000 -> Version: 38", "Date: Mon Mar 22 18:52:48 2021", "MachineID: d06ed635-68f6-4e9a-955c-4899f5f57b9a", "GUID: {e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}", "HWID: d06ed635-68f6-4e9a-955c-90ce-806e6f6e6963", "Path: C:\\Users\\user\\AppData\\Local\\Temp\\is-KUC5O.tmp\\Setup.exe", "Work Dir: C:\\\\ProgramData\\\\XKXCRS65ADTI5SZX0R5RDTMSN", "Windows: Windows 10 Pro [x64]", "Computer Name: 610930", "User Name: user", "Display Resolution: 1280x1024", "Display Language: en-US", "Keyboard Languages: English (United States)", "Local Time: 22/3/2021 18:52:48", "TimeZone: UTC-8", "[Hardware]", "Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "CPU Count: 4", "RAM: 8191 MB", "VideoCard: Microsoft Basic Display Adapter", "[Processes]", "---------- System [4]", "------------------------------ Registry [88]", "- smss.exe [296]", "- csrss.exe [388]", "- wininit.exe [468]", "- csrss.exe [480]", "- services.exe [560]", "- winlogon.exe [568]", "- lsass.exe [588]", "- fontdrvhost.exe [688]", "- fontdrvhost.exe [696]", "- svchost.exe [716]", "- svchost.exe [792]", "- svchost.exe [840]", "- svchost.exe [892]", "- dwm.exe [960]", "- svchost.exe [332]", "- svchost.exe [344]", "- svchost.exe [372]", "- svchost.exe [936]", "- svchost.exe [1060]", "- svchost.exe [1128]", "- svchost.exe [1200]", "- svchost.exe [1248]", "- svchost.exe [1300]", "- svchost.exe [1312]", "- svchost.exe [1332]", "- svchost.exe [1392]", "- Memory Compression [1400]", "- svchost.exe [1440]", "- svchost.exe [1488]", "- svchost.exe [1496]", "- svchost.exe [1528]", "- svchost.exe [1588]", "- svchost.exe [1660]", "- svchost.exe [1668]", "- svchost.exe [1712]", "- svchost.exe [1728]", "- svchost.exe [1796]", "- svchost.exe [1852]", "- svchost.exe [1884]", "- svchost.exe [1892]", "- spoolsv.exe [1976]", "- svchost.exe [2016]", "- svchost.exe [1596]", "- svchost.exe [2056]", "- svchost.exe [2064]", "- svchost.exe [2164]", "- svchost.exe [2172]", "- svchost.exe [2180]", "- svchost.exe [2216]", "- svchost.exe [2224]", "- svchost.exe [2236]", "- svchost.exe [2256]", "- svchost.exe [2364]", "- svchost.exe [2440]", "- svchost.exe [2504]", "- sihost.exe [2080]", "- svchost.exe [2544]", "- svchost.exe [1188]", "- taskhostw.exe [3144]", "- svchost.exe [3260]", "---------- ctfmon.exe [3300]", "- explorer.exe [3440]", "- smartscreen.exe [3560]", "- svchost.exe [3720]", "- dllhost.exe [3840]", "- ShellExperienceHost.exe [4088]", "- SearchUI.exe [3276]", "- RuntimeBroker.exe [3092]", "- RuntimeBroker.exe [4252]", "- svchost.exe [4420]", "- RuntimeBroker.exe [4572]", "- RuntimeBroker.exe [4636]", "- WmiPrvSE.exe [4920]", "- dllhost.exe [4784]", "- WmiPrvSE.exe [4908]", "- svchost.exe [1144]", "- SgrmBroker.exe [1752]", "- svchost.exe [5104]", "- svchost.exe [2248]", "- svchost.exe [2872]", "- WmiPrvSE.exe [496]", "- msiexec.exe [980]", "- svchost.exe [4592]", "- svchost.exe [2436]", "- svchost.exe [5112]", "- yxfXGUiRFsbWKTHLRLkAVEMt.exe [5196]", "- yxfXGUiRFsbWKTHLRLkAVEMt.exe [5208]", "- yxfXGUiRFsbWKTHLRLkAVEMt.exe [5220]", "- yxfXGUiRFsbWKTHLRLkAVEMt.exe [5228]", "- yxfXGUiRFsbWKTHLRLkAVEMt.exe [5236]", "- yxfXGUiRFsbWKTHLRLkAVEMt.exe [5244]", "- yxfXGUiRFsbWKTHLRLkAVEMt.exe [5252]", "- yxfXGUiRFsbWKTHLRLkAVEMt.exe [5264]", "- yxfXGUiRFsbWKTHLRLkAVEMt.exe [5272]", "- yxfXGUiRFsbWKTHLRLkAVEMt.exe [5280]", "- yxfXGUiRFsbWKTHLRLkAVEMt.exe [5292]", "- yxfXGUiRFsbWKTHLRLkAVEMt.exe [5304]", "- yxfXGUiRFsbWKTHLRLkAVEMt.exe [5312]", "- yxfXGUiRFsbWKTHLRLkAVEMt.exe [5320]", "- yxfXGUiRFsbWKTHLRLkAVEMt.exe [5332]", "- yxfXGUiRFsbWKTHLRLkAVEMt.exe [5340]", "- yxfXGUiRFsbWKTHLRLkAVEMt.exe [5348]", "- yxfXGUiRFsbWKTHLRLkAVEMt.exe [5360]", "- yxfXGUiRFsbWKTHLRLkAVEMt.exe [5368]", "- svchost.exe [5636]", "- wermgr.exe [5644]", "- MusNotifyIcon.exe [5860]", "- svchost.exe [5884]", "- conhost.exe [6068]", "- svchost.exe [5780]", "- RuntimeBroker.exe [5108]", "- UsoClient.exe [5976]", "- backgroundTaskHost.exe [4632]", "- backgroundTaskHost.exe [4892]", "- svchost.exe [4972]", "- RuntimeBroker.exe [6228]", "- svchost.exe [6400]", "- Setup.exe [7124]", "- svchost.exe [7144]", "[Software]", "Google Chrome [85.0.4183.121]", "Microsoft Office Professional Plus 2016 [16.0.4266.1001]", "Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 [12.0.30501.0]", "Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 [12.0.21005]", "Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 [10.0.30319]", "Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 [14.21.27702]", "Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 [14.21.27702]", "Java 8 Update 211 [8.0.2110.12]", "Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 [11.0.61030.0]", "Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 [14.21.27702.2]", "Java Auto Updater [2.8.211.12]", "Google Update Helper [1.3.35.451]", "Microsoft Office Professional Plus 2016 [16.0.4266.1001]", "Security Update for Microsoft Office 2016 (KB3114690) 32-Bit EditionUpdate for Microsoft Office 2016 (KB2920712) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3141456) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3115081) 32-Bit EditionUpdate for Microsoft Office 2016 (KB2920717) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3114852) 32-Bit EditionUpdate for Microsoft Office 2016 (KB2920720) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4022161) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB3128012) 32-Bit EditionSecurity Update for Microsoft Word 2016 (KB4484300) 32-Bit EditionSecurity Update for Microsoft PowerPoint 2016 (KB4484246) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3118263) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4022176) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3114528) 32-Bit EditionSecurity Update for Microsoft Visio 2016 (KB4484244) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4484287) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3118262) 32-Bit EditionUpdate for Skype for Business 2016 (KB4484286) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4484214) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4011574) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3213650) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4462119) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4032236) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB3085538) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484138) 32-Bit EditionDefinition Update for Microsoft Office 2016 (KB3115407) 32-Bit EditionUpdate for Microsoft Office 2016 (KB2920678) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4475580) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484248) 32-Bit EditionSecurity Update for Microsoft Excel 2016 (KB4484273) 32-Bit EditionSecurity Update for Microsoft Publisher 2016 (KB4011097) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4464586) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4464538) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4461435) 32-Bit EditionSecurity Update for Microsoft Outlook 2016 (KB4484274) 32-Bit EditionSecurity Update for Microsoft Project 2016 (KB4484269) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3191929) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4011259) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4464535) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB2920727) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3114903) 32-Bit EditionUpdate for Microsoft Office 2016 (KB2920724) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484101) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3118264) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4011629) 32-Bit EditionSecurity Update for Microsoft Access 2016 (KB4484167) 32-Bit EditionUpdate for Microsoft OneDrive for Business (KB4022219) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4032254) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4011225) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484106) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4022193) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4011634) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4484258) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3178666) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4011669) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4475588) 32-Bit EditionUpdate for Microsoft OneNote 2016 (KB4475586) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB3213551) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484145) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3115276) 32-Bit EditionMicrosoft Access MUI (English) 2016 [16.0.4266.1001]", "Microsoft Excel MUI (English) 2016 [16.0.4266.1001]", "Security Update for Microsoft Excel 2016 (KB4484273) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4011629) 32-Bit EditionMicrosoft PowerPoint MUI (English) 2016 [16.0.4266.1001]", "Security Update for Microsoft PowerPoint 2016 (KB4484246) 32-Bit EditionSecurity Update for Microsoft Excel 2016 (KB4484273) 32-Bit EditionMicrosoft Publisher MUI (English) 2016 [16.0.4266.1001]", "Security Update for Microsoft Publisher 2016 (KB4011097) 32-Bit EditionMicrosoft Outlook MUI (English) 2016 [16.0.4266.1001]", "Security Update for Microsoft Word 2016 (KB4484300) 32-Bit EditionSecurity Update for Microsoft Outlook 2016 (KB4484274) 32-Bit EditionMicrosoft Word MUI (English) 2016 [16.0.4266.1001]", "Security Update for Microsoft Word 2016 (KB4484300) 32-Bit EditionSecurity Update for Microsoft Excel 2016 (KB4484273) 32-Bit EditionMicrosoft Office Proofing Tools 2016 - English [16.0.4266.1001]", "Update for Microsoft Office 2016 (KB4464538) 32-Bit EditionOutils de v", "0000251f -> rification linguistique 2016 de Microsoft Office", "00002550 -> - Fran", "00002557 -> ais [16.0.4266.1001]", "Update for Microsoft Office 2016 (KB4464538) 32-Bit EditionHerramientas de correcci", "000025c1 -> n de Microsoft Office 2016: espa", "000025e2 -> ol [16.0.4266.1001]", "Update for Microsoft Office 2016 (KB4464538) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3114528) 32-Bit EditionUpdate for Skype for Business 2016 (KB4484286) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3213650) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4462119) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB3085538) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4022162) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484248) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4464586) 32-Bit EditionSecurity Update for Microsoft Project 2016 (KB4484269) 32-Bit EditionUpdate for Microsoft OneDrive for Business (KB4022219) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484106) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4011634) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4475588) 32-Bit EditionUpdate for Microsoft OneNote 2016 (KB4475586) 32-Bit EditionUpdate for Microsoft OneDrive for Business (KB4022219) 32-Bit EditionMicrosoft Office Proofing (English) 2016 [16.0.4266.1001]", "Microsoft InfoPath MUI (English) 2016 [16.0.4266.1001]", "Microsoft Office Shared MUI (English) 2016 [16.0.4266.1001]", "Security Update for Microsoft Office 2016 (KB4022176) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4484214) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4011574) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4475580) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484106) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB3213551) 32-Bit EditionMicrosoft DCF MUI (English) 2016 [16.0.4266.1001]", "Microsoft OneNote MUI (English) 2016 [16.0.4266.1001]", "Update for Microsoft OneNote 2016 (KB4475586) 32-Bit EditionMicrosoft Groove MUI (English) 2016 [16.0.4266.1001]", "Update for Microsoft OneDrive for Business (KB4022219) 32-Bit EditionMicrosoft Office OSM MUI (English) 2016 [16.0.4266.1001]", "Microsoft Office OSM UX MUI (English) 2016 [16.0.4266.1001]", "Microsoft Office Shared Setup Metadata MUI (English) 2016 [16.0.4266.1001]", "Microsoft Access Setup Metadata MUI (English) 2016 [16.0.4266.1001]", "Microsoft Skype for Business MUI (English) 2016 [16.0.4266.1001]", "Security Update for Microsoft Word 2016 (KB4484300) 32-Bit EditionUpdate for Skype for Business 2016 (KB4484286) 32-Bit EditionAdobe Acrobat Reader DC [19.012.20035]", "Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 [11.0.61030]", "Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 [11.0.61030]", "Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 [11.0.61030.0]", "Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 [14.21.27702.2]", "Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 [12.0.30501.0]", "Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 [12.0.21005]"]}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
Click to see the 1 entries |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Antivirus detection for URL or domain | Show sources |
Source: | Avira URL Cloud: |
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |