analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

80.exe

Full analysis: https://app.any.run/tasks/05db1508-3d06-46d5-b9f1-99d4ac1d0d68
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Analysis date: September 11, 2019, 09:19:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
trojan
stealer
vidar
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

06A143D6FB0FD06DE5AB2FB828866B57

SHA1:

6BE0FEA9DD9A271FF1CD3A0D8AD8BD93396E3ED5

SHA256:

034D6ECB85D1AD5EF8B0F75DD5012436265827083EEBFAC015561981EEF74015

SSDEEP:

24576:dFPYp5Sm0ucgStnSKsEJJ/3dTv51WafJo3W+ZsEm1XR:7PqSRucgSnSKzJvdaaes1XR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Actions looks like stealing of personal data

      • 80.exe (PID: 3548)
    • Stealing of credential data

      • 80.exe (PID: 3548)
    • VIDAR was detected

      • 80.exe (PID: 3548)
  • SUSPICIOUS

    • Creates files in the program directory

      • 80.exe (PID: 3548)
    • Checks for external IP

      • 80.exe (PID: 3548)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

ProductVersion: 1.2.8.4
ProductName: Succumb
CompanyName: FileVersion
LegalCopyright: FileVersion Copyright © 2000 - 2014 KG and its Licensors
LegalTrademarks: FileVersion Copyright © 2000 - 2014 KG and its Licensors
FileDescription: Distribute Ipconfig Links Url
OriginalFileName: Succumb.exe
PrivateBuild: 1.2.8.4
Languages: English
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.2.8.4
FileVersionNumber: 1.2.8.4
Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: -
OSVersion: 6
EntryPoint: 0x7a968
UninitializedDataSize: -
InitializedDataSize: 686592
CodeSize: 600576
LinkerVersion: 11
PEType: PE32
TimeStamp: 2019:08:30 20:13:47+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 30-Aug-2019 18:13:47
Detected languages:
  • English - United States
Languages: English
PrivateBuild: 1.2.8.4
OriginalFilename: Succumb.exe
FileDescription: Distribute Ipconfig Links Url
LegalTrademarks: FileVersion Copyright © 2000 - 2014 KG and its Licensors
LegalCopyright: FileVersion Copyright © 2000 - 2014 KG and its Licensors
CompanyName: FileVersion
ProductName: Succumb
ProductVersion: 1.2.8.4

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000108

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 30-Aug-2019 18:13:47
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000929F8
0x00092A00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.55492
.rdata
0x00094000
0x00022E6F
0x00023000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.70955
.data
0x000B7000
0x00009D8C
0x00002800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.02318
.rsrc
0x000C1000
0x0006DC90
0x0006DE00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.87944
.reloc
0x0012F000
0x000142EC
0x00014400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
3.59916

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.1305
1397
Latin 1 / Western European
English - United States
RT_MANIFEST
2
4.1806
4264
Latin 1 / Western European
English - United States
RT_ICON
3
4.27342
1128
Latin 1 / Western European
English - United States
RT_ICON
370
3.27246
484
Latin 1 / Western European
English - United States
RT_DIALOG
462
3.10114
798
Latin 1 / Western European
English - United States
RT_DIALOG
975
7.97913
58460
Latin 1 / Western European
English - United States
TEMPLATES
976
7.95805
45121
Latin 1 / Western European
English - United States
TEMPLATES
977
7.8728
95406
Latin 1 / Western European
English - United States
TEMPLATES
978
7.79551
117853
Latin 1 / Western European
English - United States
TEMPLATES
979
7.96531
54376
Latin 1 / Western European
English - United States
TEMPLATES

Imports

ADVAPI32.dll
AVIFIL32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
KERNEL32.dll
MSIMG32.dll
MSVFW32.dll
NETAPI32.dll
OLEAUT32.dll

Exports

Title
Ordinal
Address
Go
1
0x00074918
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
32
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #VIDAR 80.exe

Process information

PID
CMD
Path
Indicators
Parent process
3548"C:\Users\admin\AppData\Local\Temp\80.exe" C:\Users\admin\AppData\Local\Temp\80.exe
explorer.exe
User:
admin
Company:
FileVersion
Integrity Level:
MEDIUM
Description:
Distribute Ipconfig Links Url
Modules
Images
c:\users\admin\appdata\local\temp\80.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
41
Read events
23
Write events
18
Delete events
0

Modification events

(PID) Process:(3548) 80.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\80_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3548) 80.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\80_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3548) 80.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\80_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3548) 80.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\80_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3548) 80.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\80_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3548) 80.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\80_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3548) 80.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\80_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3548) 80.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\80_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3548) 80.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\80_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3548) 80.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\80_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
0
Suspicious files
1
Text files
2
Unknown types
1

Dropped files

PID
Process
Filename
Type
354880.exeC:\ProgramData\V4LBLHZY91EEETTRAP7JVJXEC\files\outlook.txt
MD5:
SHA256:
354880.exeC:\ProgramData\V4LBLHZY91EEETTRAP7JVJXEC\files\information.txt
MD5:
SHA256:
354880.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\line[1].txttext
MD5:94262B6C49307E5713FF129AB5C34966
SHA256:612614134D8F3613964C8940CDA86A57CFD59314008BD237C8CD8BA5D52A962D
354880.exeC:\ProgramData\V4LBLHZY91EEETTRAP7JVJXEC\ldsqlite
MD5:ACFE428573BC93A1C2D167FA95961BB0
SHA256:BEB40A8A26A3A77B8542DE111F274C42B9095C5152322DE1EA4E112308441338
354880.exeC:\ProgramData\V4LBLHZY91EEETTRAP7JVJXEC\CH_90059c37-1320-41a4-b58d-2b75a9850d2f9110494879.zipcompressed
MD5:BF1BBF2C5056AE8F3377DD4666F8EA17
SHA256:3A4CF260E34136825708B055B4ED56652CA0ED479282BB66808E2EA69D6C8D95
354880.exeC:\ProgramData\V4LBLHZY91EEETTRAP7JVJXEC\files\passwords.txttext
MD5:E0EE1892004A327AE8878494352A35E6
SHA256:E1B782EB670A6D8ED01FEB9CD9DDEF9AE20569B72A1E33E078906D07627F7850
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3548
80.exe
POST
200
185.194.141.58:80
http://ip-api.com/line/
DE
text
124 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3548
80.exe
185.194.141.58:80
ip-api.com
netcup GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
eroomia.com
malicious
ip-api.com
  • 185.194.141.58
shared

Threats

PID
Process
Class
Message
3548
80.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
3548
80.exe
A Network Trojan was detected
SUSPICIOUS [PTsecurity] Possible Generic.Trojan Boundary
3548
80.exe
A Network Trojan was detected
MALWARE [PTsecurity] Arkei/Vidar Stealer
1 ETPRO signatures available at the full report
No debug info