Play interactive tourEdit tour
Analysis Report wKYTg7Gp6P.exe
Overview
General Information
Detection
Amadey Vidar
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Vidar stealer
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates files in alternative data streams (ADS)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Posts data to a JPG file (protocol mismatch)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file contains strange resources
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Uses taskkill to terminate processes
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Credential Stealer
Classification
Startup |
---|
|
Malware Configuration |
---|
Threatname: Vidar |
---|
{"Config: ": ["00000000 -> Version: 38.6", "Date: Wed Apr 28 22:58:45 2021", "MachineID: d06ed635-68f6-4e9a-955c-4899f5f57b9a", "GUID: {e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}", "HWID: d06ed635-68f6-4e9a-955c-90ce-806e6f6e6963", "Path: C:\\Users\\user\\Desktop\\wKYTg7Gp6P.exe", "Work Dir: C:\\ProgramData\\CU50S1CYVL0A4WGXHOO1KFZGQ", "Windows: Windows 10 Pro [x64]", "Computer Name: 019635", "User Name: user", "Display Resolution: 1280x1024", "Display Language: en-US", "Keyboard Languages: English (United States)", "Local Time: 28/4/2021 22:58:45", "TimeZone: UTC1", "[Hardware]", "Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "CPU Count: 4", "RAM: 8191 MB", "VideoCard: Microsoft Basic Display Adapter", "[Processes]", "---------- System [4]", "------------------------------ Registry [88]", "- smss.exe [300]", "- csrss.exe [400]", "- wininit.exe [476]", "- csrss.exe [488]", "- services.exe [568]", "- winlogon.exe [576]", "- lsass.exe [592]", "- fontdrvhost.exe [692]", "- svchost.exe [712]", "- fontdrvhost.exe [724]", "- svchost.exe [800]", "- svchost.exe [848]", "- svchost.exe [888]", "- dwm.exe [988]", "- svchost.exe [340]", "- svchost.exe [420]", "- svchost.exe [396]", "- svchost.exe [968]", "- svchost.exe [1040]", "- svchost.exe [1104]", "- svchost.exe [1180]", "- svchost.exe [1272]", "- svchost.exe [1328]", "- svchost.exe [1336]", "- svchost.exe [1348]", "- Memory Compression [1408]", "- svchost.exe [1432]", "- svchost.exe [1464]", "- svchost.exe [1480]", "- svchost.exe [1524]", "- svchost.exe [1560]", "- svchost.exe [1632]", "- svchost.exe [1652]", "- svchost.exe [1672]", "- svchost.exe [1720]", "- svchost.exe [1728]", "- svchost.exe [1816]", "- svchost.exe [1824]", "- spoolsv.exe [1888]", "- svchost.exe [1944]", "- svchost.exe [2036]", "- svchost.exe [1252]", "- svchost.exe [1308]", "- svchost.exe [2080]", "- svchost.exe [2116]", "- svchost.exe [2124]", "- svchost.exe [2132]", "- svchost.exe [2144]", "- svchost.exe [2164]", "- svchost.exe [2172]", "- svchost.exe [2180]", "- svchost.exe [2308]", "- svchost.exe [2372]", "- svchost.exe [2420]", "- svchost.exe [2428]", "- sihost.exe [3052]", "- svchost.exe [2304]", "- svchost.exe [2500]", "- taskhostw.exe [3112]", "- svchost.exe [3204]", "---------- ctfmon.exe [3284]", "- explorer.exe [3424]", "- smartscreen.exe [3516]", "- svchost.exe [3676]", "- dllhost.exe [3832]", "- ShellExperienceHost.exe [4028]", "- SearchUI.exe [3188]", "- RuntimeBroker.exe [3656]", "- RuntimeBroker.exe [4268]", "- RuntimeBroker.exe [4772]", "- WmiPrvSE.exe [5060]", "- svchost.exe [4472]", "- SgrmBroker.exe [4644]", "- svchost.exe [4668]", "- svchost.exe [3500]", "- svchost.exe [4960]", "- dllhost.exe [3564]", "- ApplicationFrameHost.exe [4580]", "- svchost.exe [160]", "- audiodg.exe [2232]", "- svchost.exe [2468]", "- svchost.exe [4888]", "- WMIADAP.exe [1620]", "- WmiPrvSE.exe [500]", "- WmiPrvSE.exe [2588]", "- msiexec.exe [4184]", "- svchost.exe [1504]", "- svchost.exe [2856]", "- svchost.exe [3408]", "- DjaXdkqbRCmcGPJSmSfCjjO.exe [5176]", "- DjaXdkqbRCmcGPJSmSfCjjO.exe [5204]", "- DjaXdkqbRCmcGPJSmSfCjjO.exe [5216]", "- DjaXdkqbRCmcGPJSmSfCjjO.exe [5232]", "- DjaXdkqbRCmcGPJSmSfCjjO.exe [5240]", "- DjaXdkqbRCmcGPJSmSfCjjO.exe [5252]", "- DjaXdkqbRCmcGPJSmSfCjjO.exe [5260]", "- DjaXdkqbRCmcGPJSmSfCjjO.exe [5268]", "- DjaXdkqbRCmcGPJSmSfCjjO.exe [5276]", "- DjaXdkqbRCmcGPJSmSfCjjO.exe [5288]", "- DjaXdkqbRCmcGPJSmSfCjjO.exe [5296]", "- DjaXdkqbRCmcGPJSmSfCjjO.exe [5304]", "- DjaXdkqbRCmcGPJSmSfCjjO.exe [5316]", "- DjaXdkqbRCmcGPJSmSfCjjO.exe [5324]", "- DjaXdkqbRCmcGPJSmSfCjjO.exe [5332]", "- DjaXdkqbRCmcGPJSmSfCjjO.exe [5344]", "- DjaXdkqbRCmcGPJSmSfCjjO.exe [5352]", "- DjaXdkqbRCmcGPJSmSfCjjO.exe [5360]", "- DjaXdkqbRCmcGPJSmSfCjjO.exe [5376]", "- DjaXdkqbRCmcGPJSmSfCjjO.exe [5384]", "- DjaXdkqbRCmcGPJSmSfCjjO.exe [5392]", "- svchost.exe [5664]", "- wermgr.exe [5692]", "- conhost.exe [5940]", "- MusNotifyIcon.exe [6060]", "- svchost.exe [6088]", "- svchost.exe [2480]", "- RuntimeBroker.exe [1848]", "- UsoClient.exe [4500]", "- UsoClient.exe [5908]", "- svchost.exe [616]", "- backgroundTaskHost.exe [1056]", "- HxTsr.exe [2800]", "- svchost.exe [4180]", "- RuntimeBroker.exe [4284]", "- RuntimeBroker.exe [6208]", "- wKYTg7Gp6P.exe [6924]", "- backgroundTaskHost.exe [7020]", "- BackgroundTransferHost.exe [7084]", "[Software]", "Google Chrome [85.0.4183.121]", "Microsoft Office Professional Plus 2016 [16.0.4266.1001]", "Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 [12.0.30501.0]", "Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 [12.0.21005]", "Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 [10.0.30319]", "Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 [14.21.27702]", "Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 [14.21.27702]", "Java 8 Update 211 [8.0.2110.12]", "Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 [11.0.61030.0]", "Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 [14.21.27702.2]", "Java Auto Updater [2.8.211.12]", "Google Update Helper [1.3.35.451]", "Microsoft Office Professional Plus 2016 [16.0.4266.1001]", "Security Update for Microsoft Office 2016 (KB3114690) 32-Bit EditionUpdate for Microsoft Office 2016 (KB2920712) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3141456) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3115081) 32-Bit EditionUpdate for Microsoft Office 2016 (KB2920717) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3114852) 32-Bit EditionUpdate for Microsoft Office 2016 (KB2920720) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4022161) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB3128012) 32-Bit EditionSecurity Update for Microsoft Word 2016 (KB4484300) 32-Bit EditionSecurity Update for Microsoft PowerPoint 2016 (KB4484246) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3118263) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4022176) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3114528) 32-Bit EditionSecurity Update for Microsoft Visio 2016 (KB4484244) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4484287) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3118262) 32-Bit EditionUpdate for Skype for Business 2016 (KB4484286) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4484214) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4011574) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3213650) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4462119) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4032236) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB3085538) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484138) 32-Bit EditionDefinition Update for Microsoft Office 2016 (KB3115407) 32-Bit EditionUpdate for Microsoft Office 2016 (KB2920678) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4475580) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484248) 32-Bit EditionSecurity Update for Microsoft Excel 2016 (KB4484273) 32-Bit EditionSecurity Update for Microsoft Publisher 2016 (KB4011097) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4464586) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4464538) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4461435) 32-Bit EditionSecurity Update for Microsoft Outlook 2016 (KB4484274) 32-Bit EditionSecurity Update for Microsoft Project 2016 (KB4484269) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3191929) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4011259) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4464535) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB2920727) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3114903) 32-Bit EditionUpdate for Microsoft Office 2016 (KB2920724) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484101) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3118264) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4011629) 32-Bit EditionSecurity Update for Microsoft Access 2016 (KB4484167) 32-Bit EditionUpdate for Microsoft OneDrive for Business (KB4022219) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4032254) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4011225) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484106) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4022193) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4011634) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4484258) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3178666) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4011669) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4475588) 32-Bit EditionUpdate for Microsoft OneNote 2016 (KB4475586) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB3213551) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484145) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3115276) 32-Bit EditionMicrosoft Access MUI (English) 2016 [16.0.4266.1001]", "Microsoft Excel MUI (English) 2016 [16.0.4266.1001]", "Security Update for Microsoft Excel 2016 (KB4484273) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4011629) 32-Bit EditionMicrosoft PowerPoint MUI (English) 2016 [16.0.4266.1001]", "Security Update for Microsoft PowerPoint 2016 (KB4484246) 32-Bit EditionSecurity Update for Microsoft Excel 2016 (KB4484273) 32-Bit EditionMicrosoft Publisher MUI (English) 2016 [16.0.4266.1001]", "Security Update for Microsoft Publisher 2016 (KB4011097) 32-Bit EditionMicrosoft Outlook MUI (English) 2016 [16.0.4266.1001]", "Security Update for Microsoft Word 2016 (KB4484300) 32-Bit EditionSecurity Update for Microsoft Outlook 2016 (KB4484274) 32-Bit EditionMicrosoft Word MUI (English) 2016 [16.0.4266.1001]", "Security Update for Microsoft Word 2016 (KB4484300) 32-Bit EditionSecurity Update for Microsoft Excel 2016 (KB4484273) 32-Bit EditionMicrosoft Office Proofing Tools 2016 - English [16.0.4266.1001]", "Update for Microsoft Office 2016 (KB4464538) 32-Bit EditionOutils de v", "00002601 -> rification linguistique 2016 de Microsoft Office", "00002632 -> - Fran", "00002639 -> ais [16.0.4266.1001]", "Update for Microsoft Office 2016 (KB4464538) 32-Bit EditionHerramientas de correcci", "000026a3 -> n de Microsoft Office 2016: espa", "000026c4 -> ol [16.0.4266.1001]", "Update for Microsoft Office 2016 (KB4464538) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3114528) 32-Bit EditionUpdate for Skype for Business 2016 (KB4484286) 32-Bit EditionUpdate for Microsoft Office 2016 (KB3213650) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4462119) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB3085538) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4022162) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484248) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4464586) 32-Bit EditionSecurity Update for Microsoft Project 2016 (KB4484269) 32-Bit EditionUpdate for Microsoft OneDrive for Business (KB4022219) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484106) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4011634) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4475588) 32-Bit EditionUpdate for Microsoft OneNote 2016 (KB4475586) 32-Bit EditionUpdate for Microsoft OneDrive for Business (KB4022219) 32-Bit EditionMicrosoft Office Proofing (English) 2016 [16.0.4266.1001]", "Microsoft InfoPath MUI (English) 2016 [16.0.4266.1001]", "Microsoft Office Shared MUI (English) 2016 [16.0.4266.1001]", "Security Update for Microsoft Office 2016 (KB4022176) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4484214) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB4011574) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4475580) 32-Bit EditionUpdate for Microsoft Office 2016 (KB4484106) 32-Bit EditionSecurity Update for Microsoft Office 2016 (KB3213551) 32-Bit EditionMicrosoft DCF MUI (English) 2016 [16.0.4266.1001]", "Microsoft OneNote MUI (English) 2016 [16.0.4266.1001]", "Update for Microsoft OneNote 2016 (KB4475586) 32-Bit EditionMicrosoft Groove MUI (English) 2016 [16.0.4266.1001]", "Update for Microsoft OneDrive for Business (KB4022219) 32-Bit EditionMicrosoft Office OSM MUI (English) 2016 [16.0.4266.1001]", "Microsoft Office OSM UX MUI (English) 2016 [16.0.4266.1001]", "Microsoft Office Shared Setup Metadata MUI (English) 2016 [16.0.4266.1001]", "Microsoft Access Setup Metadata MUI (English) 2016 [16.0.4266.1001]", "Microsoft Skype for Business MUI (English) 2016 [16.0.4266.1001]", "Security Update for Microsoft Word 2016 (KB4484300) 32-Bit EditionUpdate for Skype for Business 2016 (KB4484286) 32-Bit EditionAdobe Refresh Manager [1.8.0]", "Adobe Acrobat Reader DC [19.012.20035]", "Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 [11.0.61030]", "Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 [11.0.61030]", "Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 [11.0.61030.0]", "Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 [14.21.27702.2]", "Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 [12.0.30501.0]", "Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 [12.0.21005]"]}
Yara Overview |
---|
PCAP (Network Traffic) |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Amadey | Yara detected Amadey bot | Joe Security | ||
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security |
Dropped Files |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security |
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_Amadey | Yara detected Amadey bot | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Click to see the 2 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
Click to see the 1 entries |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Antivirus detection for dropped file | Show sources |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |