Edit tour
Windows
Analysis Report
06625899.exe
Overview
General Information
Detection
Vidar
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected Vidar stealer
Detected unpacking (changes PE section rights)
Tries to steal Crypto Currency Wallets
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Uses known network protocols on non-standard ports
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
AV process strings found (often used to terminate AV products)
Extensive use of GetProcAddress (often used to hide API calls)
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Uses Microsoft's Enhanced Cryptographic Provider
Classification
- System is w10x64
- 06625899.exe (PID: 7120 cmdline:
C:\Users\u ser\Deskto p\06625899 .exe MD5: 22CD094D925FB41F446ED4DB24CC8C35)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Vidar | Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. | No Attribution |
{"C2 url": ["https://steamcommunity.com/profiles/76561199508624021", "https://t.me/looking_glassbot"], "Botnet": "667e85c8112da056f901292caf82b3ed"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Click to see the 4 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
Click to see the 1 entries |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | Joe Sandbox ML: |
Source: | Code function: | 0_2_00415040 | |
Source: | Code function: | 0_2_00409EC0 | |
Source: | Code function: | 0_2_00415180 | |
Source: | Code function: | 0_2_00401430 | |
Source: | Code function: | 0_2_00414D80 | |
Source: | Code function: | 0_2_00414FC0 |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior |
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_00424100 | |
Source: | Code function: | 0_2_00416500 | |
Source: | Code function: | 0_2_004118B0 | |
Source: | Code function: | 0_2_00416B10 | |
Source: | Code function: | 0_2_00411B90 | |
Source: | Code function: | 0_2_0040BC20 | |
Source: | Code function: | 0_2_00411DD0 | |
Source: | Code function: | 0_2_0041AFF0 | |
Source: | Code function: | 0_2_0040B190 | |
Source: | Code function: | 0_2_004162F0 | |
Source: | Code function: | 0_2_00416770 | |
Source: | Code function: | 0_2_00409F60 |
Source: | Code function: | 0_2_0040D1C0 |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | URLs: | ||
Source: | URLs: |
Source: | JA3 fingerprint: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | TCP traffic: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTP traffic detected: |