Source: file.exe |
Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199677575543"], "Botnet": "ef7c93f7ac14adc149ecaa88aa901eed", "Version": "9.2"} |
Source: file.exe |
Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
Source: Malware configuration extractor |
URLs: https://steamcommunity.com/profiles/76561199677575543 |
Source: file.exe |
String found in binary or memory: https://steamcommunity.com/profiles/76561199677575543 |
Source: file.exe |
String found in binary or memory: https://steamcommunity.com/profiles/76561199677575543nve7n2Mozilla/5.0 |
Source: file.exe |
String found in binary or memory: https://t.me/snsb82 |
Source: file.exe |
String found in binary or memory: https://t.me/snsb82nve7n2sqln.dllMozilla/5.0 |
Source: file.exe |
Static PE information: section name: .vmp_(-) |
Source: file.exe |
Static PE information: section name: .vmp_(-) |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00ED232B |
0_2_00ED232B |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00EB2798 |
0_2_00EB2798 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FE2F0 |
0_2_010FE2F0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00ED2A07 |
0_2_00ED2A07 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00EB2EA9 |
0_2_00EB2EA9 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00EB2E7F |
0_2_00EB2E7F |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00EB3189 |
0_2_00EB3189 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00EB3154 |
0_2_00EB3154 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00EB34D0 |
0_2_00EB34D0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_01113740 |
0_2_01113740 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00ED1889 |
0_2_00ED1889 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00ED1DDA |
0_2_00ED1DDA |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00ED3F10 |
0_2_00ED3F10 |
Source: C:\Users\user\Desktop\file.exe |
Code function: String function: 0110F508 appears 35 times |
|
Source: C:\Users\user\Desktop\file.exe |
Code function: String function: 00ECDE22 appears 305 times |
|
Source: file.exe, 00000000.00000002.1990694732.000000000154C000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameDupefinder.exe@ vs file.exe |
Source: file.exe |
Binary or memory string: OriginalFilenameDupefinder.exe@ vs file.exe |
Source: file.exe |
Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
Source: classification engine |
Classification label: mal72.troj.evad.winEXE@1/0@0/0 |
Source: file.exe |
Static file information: File size 4810240 > 1048576 |
Source: file.exe |
Static PE information: Raw size of .vmp_(-) is bigger than: 0x100000 < 0x270200 |
Source: file.exe |
Static PE information: Raw size of .vmp_(-) is bigger than: 0x100000 < 0x1e1800 |
Source: initial sample |
Static PE information: section where entry point is pointing to: .vmp_(-) |
Source: file.exe |
Static PE information: section name: .vmp_(-) |
Source: file.exe |
Static PE information: section name: .vmp_(-) |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FE08D push eax; ret |
0_2_010FE08F |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FA339 push edi; ret |
0_2_012E1B05 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FA228 push esi; ret |
0_2_013483F2 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FA2F7 push eax; ret |
0_2_012EDBF5 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FA50E push esi; ret |
0_2_010FA523 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FC558 push edi; ret |
0_2_010FC559 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FE5A3 push esi; ret |
0_2_010FE5A4 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FC446 push esi; ret |
0_2_010FC447 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FE455 push esi; ret |
0_2_010FE461 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FE47F push esi; ret |
0_2_010FE4A3 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FC4B9 push esi; ret |
0_2_010FC4BA |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FE7C1 push esi; ret |
0_2_011821FA |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FE7E5 push esi; ret |
0_2_01237124 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FC63D push esi; ret |
0_2_010FC63E |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FC6F8 push ebp; ret |
0_2_010FC6F9 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FA9E5 push ebp; ret |
0_2_010FA9E6 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FC81E push edi; ret |
0_2_0133550B |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FA813 push esi; ret |
0_2_010FA816 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FA835 push edi; ret |
0_2_01226680 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FA863 push ebp; ret |
0_2_010FA864 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FE8E5 push esi; ret |
0_2_012D65DD |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FAA38 push eax; ret |
0_2_010FAA3B |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FCA4A push edi; ret |
0_2_012A752F |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FCACB push edi; ret |
0_2_011BFC20 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FCAD9 push edi; ret |
0_2_010FCADA |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FEAF8 pushfd ; iretd |
0_2_010FEB13 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FCD0A push eax; ret |
0_2_010FCD0C |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FED60 push edi; ret |
0_2_010FED61 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FCC4B push ebp; ret |
0_2_0128BEF3 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FECDE push esi; ret |
0_2_013401AF |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FCF84 push edi; ret |
0_2_010FCF8B |
Source: file.exe |
Static PE information: section name: .vmp_(-) entropy: 7.676073018083831 |
Source: file.exe, 00000000.00000000.1989754440.0000000000ED8000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: AVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL |
Source: file.exe |
Binary or memory string: ABAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL |
Source: file.exe |
Binary or memory string: PSBIEDLL.DLL |
Source: file.exe |
Binary or memory string: PSBIEDLL.DLL{ |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FE92C rdtsc |
0_2_010FE92C |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010FE92C rdtsc |
0_2_010FE92C |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00EB1000 cpuid |
0_2_00EB1000 |
Source: Yara match |
File source: file.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.file.exe.eb0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.file.exe.eb0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1989754440.0000000000ED8000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1990316115.0000000000ED8000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: file.exe PID: 1776, type: MEMORYSTR |
Source: Yara match |
File source: file.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.file.exe.eb0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.file.exe.eb0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1989754440.0000000000ED8000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1990316115.0000000000ED8000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: file.exe PID: 1776, type: MEMORYSTR |