Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1433725
MD5: 0c8b126be8f6262181ba66d64d009f07
SHA1: 80a6b4257741020361681f7fb6eccd1f5785f019
SHA256: 363739eb1038d36a7b76e79e31c92bbea5856f34131397798673664d9a868002
Tags: exe
Infos:
Errors
  • Corrupt sample or wrongly selected analyzer. Details: 36b1

Detection

Vidar
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Vidar stealer
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Found malware configuration
Source: file.exe Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199677575543"], "Botnet": "ef7c93f7ac14adc149ecaa88aa901eed", "Version": "9.2"}
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://steamcommunity.com/profiles/76561199677575543
Source: file.exe String found in binary or memory: https://steamcommunity.com/profiles/76561199677575543
Source: file.exe String found in binary or memory: https://steamcommunity.com/profiles/76561199677575543nve7n2Mozilla/5.0
Source: file.exe String found in binary or memory: https://t.me/snsb82
Source: file.exe String found in binary or memory: https://t.me/snsb82nve7n2sqln.dllMozilla/5.0

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name: .vmp_(-)
Source: file.exe Static PE information: section name: .vmp_(-)
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ED232B 0_2_00ED232B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB2798 0_2_00EB2798
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FE2F0 0_2_010FE2F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ED2A07 0_2_00ED2A07
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB2EA9 0_2_00EB2EA9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB2E7F 0_2_00EB2E7F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB3189 0_2_00EB3189
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB3154 0_2_00EB3154
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB34D0 0_2_00EB34D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01113740 0_2_01113740
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ED1889 0_2_00ED1889
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ED1DDA 0_2_00ED1DDA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ED3F10 0_2_00ED3F10
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0110F508 appears 35 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00ECDE22 appears 305 times
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.1990694732.000000000154C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameDupefinder.exe@ vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameDupefinder.exe@ vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engine Classification label: mal72.troj.evad.winEXE@1/0@0/0
Source: file.exe Static file information: File size 4810240 > 1048576
Source: file.exe Static PE information: Raw size of .vmp_(-) is bigger than: 0x100000 < 0x270200
Source: file.exe Static PE information: Raw size of .vmp_(-) is bigger than: 0x100000 < 0x1e1800
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .vmp_(-)
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .vmp_(-)
Source: file.exe Static PE information: section name: .vmp_(-)
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FE08D push eax; ret 0_2_010FE08F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FA339 push edi; ret 0_2_012E1B05
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FA228 push esi; ret 0_2_013483F2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FA2F7 push eax; ret 0_2_012EDBF5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FA50E push esi; ret 0_2_010FA523
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FC558 push edi; ret 0_2_010FC559
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FE5A3 push esi; ret 0_2_010FE5A4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FC446 push esi; ret 0_2_010FC447
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FE455 push esi; ret 0_2_010FE461
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FE47F push esi; ret 0_2_010FE4A3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FC4B9 push esi; ret 0_2_010FC4BA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FE7C1 push esi; ret 0_2_011821FA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FE7E5 push esi; ret 0_2_01237124
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FC63D push esi; ret 0_2_010FC63E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FC6F8 push ebp; ret 0_2_010FC6F9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FA9E5 push ebp; ret 0_2_010FA9E6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FC81E push edi; ret 0_2_0133550B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FA813 push esi; ret 0_2_010FA816
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FA835 push edi; ret 0_2_01226680
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FA863 push ebp; ret 0_2_010FA864
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FE8E5 push esi; ret 0_2_012D65DD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FAA38 push eax; ret 0_2_010FAA3B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FCA4A push edi; ret 0_2_012A752F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FCACB push edi; ret 0_2_011BFC20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FCAD9 push edi; ret 0_2_010FCADA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FEAF8 pushfd ; iretd 0_2_010FEB13
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FCD0A push eax; ret 0_2_010FCD0C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FED60 push edi; ret 0_2_010FED61
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FCC4B push ebp; ret 0_2_0128BEF3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FECDE push esi; ret 0_2_013401AF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FCF84 push edi; ret 0_2_010FCF8B
Source: file.exe Static PE information: section name: .vmp_(-) entropy: 7.676073018083831

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: file.exe, 00000000.00000000.1989754440.0000000000ED8000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: AVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL
Source: file.exe Binary or memory string: ABAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL
Source: file.exe Binary or memory string: PSBIEDLL.DLL
Source: file.exe Binary or memory string: PSBIEDLL.DLL{
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FE92C rdtsc 0_2_010FE92C
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010FE92C rdtsc 0_2_010FE92C
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB1000 cpuid 0_2_00EB1000

Stealing of Sensitive Information
barindex
Yara detected Vidar stealer
Source: Yara match File source: file.exe, type: SAMPLE
Source: Yara match File source: 0.0.file.exe.eb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.eb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1989754440.0000000000ED8000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1990316115.0000000000ED8000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 1776, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Vidar stealer
Source: Yara match File source: file.exe, type: SAMPLE
Source: Yara match File source: 0.0.file.exe.eb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.eb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1989754440.0000000000ED8000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1990316115.0000000000ED8000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 1776, type: MEMORYSTR

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1433725 Sample: file.exe Startdate: 29/04/2024 Architecture: WINDOWS Score: 72 8 Found malware configuration 2->8 10 Yara detected Vidar stealer 2->10 12 C2 URLs / IPs found in malware configuration 2->12 14 3 other signatures 2->14 5 file.exe 2->5         started        process3 signatures4 16 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 5->16
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://steamcommunity.com/profiles/76561199677575543 false
    		high