Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pdf_novichki.rar

Overview

General Information

Sample Name:pdf_novichki.rar
Analysis ID:829691
MD5:214c47a7948ca5d3834c3f21cd1cc208
SHA1:865f07f62dcf68c9929baf4890328e32d7f923fa
SHA256:0a5e037e5954adb680c726089439539073993e2e1114a9ca9e6932e7dd702d9e
Infos:

Detection

Vidar
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Vidar stealer
Antivirus detection for dropped file
Drops PE files with a suspicious file extension
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Contains functionality to compare user and computer (likely to detect sandboxes)
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Abnormal high CPU Usage
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Classification

Process Tree

  • System is w10x64_ra
  • OUTLOOK.EXE (PID: 1708 cmdline: "C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE" /PIM NoEmail MD5: CA3FDE8329DE07C95897DB0D828545CD)
  • OpenWith.exe (PID: 6360 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: 5D37A62943F1071FFFFE1DE74B8F2778)
  • 7zG.exe (PID: 6632 cmdline: "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\pdf_novichki\" -spe -an -ai#7zMap2692:86:7zEvent4577 MD5: 04FB3AE7F05C8BC333125972BA907398)
  • pdf4ik.scr (PID: 6916 cmdline: "C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scr" /S MD5: BF481108AC0A54E82E5683ED8AE58CEB)
    • WerFault.exe (PID: 7052 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6916 -s 1968 MD5: 28D356B668C66115EA55135D24EEFB2C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"Botnet": "3", "C2 url": ["https://t.me/zaskullz", "https://steamcommunity.com/profiles/76561199486572327"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.2416733096.000000000158D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    0000000C.00000002.2422398802.0000000029ADC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      0000000C.00000002.2423789607.0000000029D80000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
        Process Memory Space: pdf4ik.scr PID: 6916JoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
          Process Memory Space: pdf4ik.scr PID: 6916JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            12.2.pdf4ik.scr.29d80000.1.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              12.2.pdf4ik.scr.29d80000.1.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                12.2.pdf4ik.scr.29adb058.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                  12.0.pdf4ik.scr.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
                  • 0x75042a:$s1: JohnDoe
                  • 0x750432:$s2: HAL9TH

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for dropped file
                  Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scrAvira: detection malicious, Label: WORM/Lodbak.Gen2
                  Source: 12.2.pdf4ik.scr.29d80000.1.unpackMalware Configuration Extractor: Vidar {"Botnet": "3", "C2 url": ["https://t.me/zaskullz", "https://steamcommunity.com/profiles/76561199486572327"]}
                  Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scrCode function: 12_2_29D94697 lstrcatA,lstrcatA,lstrcatA,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,_memset,lstrcatA,lstrcatA,lstrcatA,KiUserExceptionDispatcher,CryptBinaryToStringA,GetProcessHeap,HeapAlloc,_memset,CryptBinaryToStringA,CreateThread,CreateThread,Sleep,Sleep,CreateThread,Sleep,12_2_29D94697
                  Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scrCode function: 12_2_29D98FB0 _memset,lstrlenA,CryptStringToBinaryA,_memmove,lstrcatA,lstrcatA,12_2_29D98FB0
                  Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scrCode function: 12_2_29D991B0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,12_2_29D991B0
                  Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scrCode function: 12_2_29D85010 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,12_2_29D85010
                  Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scrCode function: 12_2_29D99210 CryptUnprotectData,LocalAlloc,_memmove,LocalFree,12_2_29D99210
                  Source: C:\Users\user\Desktop\pdf_novichki\pdf\pdf4ik.scrCode function: 12_2_29D994A0 _malloc,_memmove,_malloc,CryptUnprotectData,_memmove,12_2_29D994A0