File name:

file

Full analysis: https://app.any.run/tasks/999810aa-492a-49a5-8d52-2c0fbd8e6b53
Verdict: Malicious activity
Threats:

Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This upgraded version of Arkei stealer has been terrorizing the internet since 2018.

Analysis date: December 05, 2022, 21:04:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
trojan
loader
gcleaner
stealer
vidar
amadey
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, InnoSetup self-extracting archive
MD5:

95EF39D083A9FC080782CB3D1D865097

SHA1:

3B01362E4510FC738740E6FDA55BCCA7164A57E1

SHA256:

1552C2A4369C9E5AD1BE0F7C06A09BF7EA806E2D5BFB724A1E939E1DEFC1608F

SSDEEP:

98304:Qc66ZjzwseTpfmY2TNAq/A6VTuFdIxIs98zNY2IUE/ycY/K:B7jzx+FaAq/ZAFd7s98CbUeycY/K

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops the executable file immediately after the start

      • is-VARHN.tmp (PID: 2320)
      • VSEa235z.exe (PID: 3884)
      • PrintFolders.exe (PID: 2480)
      • gntuud.exe (PID: 1988)
    • Application was dropped or rewritten from another process

      • dD1n0sRRNe.exe (PID: 3136)
      • VSEa235z.exe (PID: 3884)
      • QhpTBV.exe (PID: 2976)
      • gntuud.exe (PID: 1988)
      • F1UZOpP.exe (PID: 452)
      • gntuud.exe (PID: 2360)
      • gntuud.exe (PID: 572)
    • G-cleaner network activity is detected

      • PrintFolders.exe (PID: 2480)
    • Steals credentials from Web Browsers

      • VSEa235z.exe (PID: 3884)
    • VIDAR was detected

      • VSEa235z.exe (PID: 3884)
    • Loads dropped or rewritten executable

      • VSEa235z.exe (PID: 3884)
      • rundll32.exe (PID: 1492)
    • Changes the Startup folder

      • gntuud.exe (PID: 1988)
    • Changes the autorun value in the registry

      • gntuud.exe (PID: 1988)
    • Uses Task Scheduler to run other applications

      • gntuud.exe (PID: 1988)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3072)
    • AMADEY was detected

      • gntuud.exe (PID: 1988)
  • SUSPICIOUS

    • Reads the Internet Settings

      • PrintFolders.exe (PID: 2480)
      • VSEa235z.exe (PID: 3884)
      • F1UZOpP.exe (PID: 452)
      • gntuud.exe (PID: 1988)
    • Drops a file with too old compile date

      • is-VARHN.tmp (PID: 2320)
      • gntuud.exe (PID: 1988)
    • Reads Microsoft Outlook installation path

      • PrintFolders.exe (PID: 2480)
    • Reads the Windows owner or organization settings

      • is-VARHN.tmp (PID: 2320)
    • Creates a directory in Program Files

      • is-VARHN.tmp (PID: 2320)
    • Executable content was dropped or overwritten

      • is-VARHN.tmp (PID: 2320)
      • VSEa235z.exe (PID: 3884)
      • PrintFolders.exe (PID: 2480)
      • gntuud.exe (PID: 1988)
    • Connects to the server without a host name

      • PrintFolders.exe (PID: 2480)
      • VSEa235z.exe (PID: 3884)
      • rundll32.exe (PID: 1492)
      • gntuud.exe (PID: 1988)
    • Checks Windows Trust Settings

      • VSEa235z.exe (PID: 3884)
    • Reads settings of System Certificates

      • VSEa235z.exe (PID: 3884)
    • Reads security settings of Internet Explorer

      • VSEa235z.exe (PID: 3884)
    • Reads browser cookies

      • VSEa235z.exe (PID: 3884)
    • Searches for installed software

      • VSEa235z.exe (PID: 3884)
    • Starts CMD.EXE for self-deleting

      • VSEa235z.exe (PID: 3884)
    • Starts CMD.EXE for commands execution

      • VSEa235z.exe (PID: 3884)
      • PrintFolders.exe (PID: 2480)
    • Starts itself from another location

      • F1UZOpP.exe (PID: 452)
    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 4024)
    • Uses TASKKILL.EXE to terminate process

      • cmd.exe (PID: 4024)
    • Executes via Task Scheduler

      • gntuud.exe (PID: 2360)
      • gntuud.exe (PID: 572)
    • Uses RUNDLL32.EXE to load library

      • gntuud.exe (PID: 1988)
    • Process requests binary or script from the Internet

      • gntuud.exe (PID: 1988)
  • INFO

    • Checks supported languages

      • PrintFolders.exe (PID: 2480)
      • file.exe (PID: 3672)
      • is-VARHN.tmp (PID: 2320)
      • dD1n0sRRNe.exe (PID: 3136)
      • VSEa235z.exe (PID: 3884)
      • QhpTBV.exe (PID: 2976)
      • F1UZOpP.exe (PID: 452)
      • gntuud.exe (PID: 1988)
      • gntuud.exe (PID: 572)
      • gntuud.exe (PID: 2360)
    • Loads dropped or rewritten executable

      • is-VARHN.tmp (PID: 2320)
    • Application was dropped or rewritten from another process

      • is-VARHN.tmp (PID: 2320)
    • Drops a file that was compiled in debug mode

      • is-VARHN.tmp (PID: 2320)
      • PrintFolders.exe (PID: 2480)
      • VSEa235z.exe (PID: 3884)
    • Reads the computer name

      • PrintFolders.exe (PID: 2480)
      • is-VARHN.tmp (PID: 2320)
      • VSEa235z.exe (PID: 3884)
      • F1UZOpP.exe (PID: 452)
      • gntuud.exe (PID: 1988)
    • Creates a software uninstall entry

      • is-VARHN.tmp (PID: 2320)
    • Creates files in the program directory

      • is-VARHN.tmp (PID: 2320)
      • VSEa235z.exe (PID: 3884)
    • Creates a file in a temporary directory

      • is-VARHN.tmp (PID: 2320)
      • file.exe (PID: 3672)
      • F1UZOpP.exe (PID: 452)
      • gntuud.exe (PID: 1988)
    • Checks proxy server information

      • PrintFolders.exe (PID: 2480)
      • VSEa235z.exe (PID: 3884)
      • gntuud.exe (PID: 1988)
    • Reads Environment values

      • VSEa235z.exe (PID: 3884)
    • Reads CPU info

      • VSEa235z.exe (PID: 3884)
    • Reads product name

      • VSEa235z.exe (PID: 3884)
    • Reads the CPU's name

      • VSEa235z.exe (PID: 3884)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (82.8)
.exe | Win32 Executable Delphi generic (10.7)
.exe | Win32 Executable (generic) (3.4)
.exe | Generic Win/DOS Executable (1.5)
.exe | DOS Executable Generic (1.5)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 1992-Jun-19 22:22:17
Detected languages:
  • English - United States
Comments: This installation was built with Inno Setup: http://www.innosetup.com
CompanyName:
FileDescription: PrintFolders Setup
FileVersion:
InternalName:
OriginalFilename:
ProductName:
ProductVersion:

DOS Header

e_magic: MZ
e_cblp: 80
e_cp: 2
e_crlc: 0
e_cparhdr: 4
e_minalloc: 15
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 26
e_oemid: 0
e_oeminfo: 0
e_lfanew: 256

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 8
TimeDateStamp: 1992-Jun-19 22:22:17
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
CODE
4096
36352
36352
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.60044
DATA
40960
584
1024
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.72043
BSS
45056
3684
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata
49152
2248
2560
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.2508
.tls
53248
8
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata
57344
24
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
0.199108
.reloc
61440
2156
0
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
.rsrc
65536
167124
167424
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
5.27927

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.39383
1128
Latin 1 / Western European
English - United States
RT_ICON
2
5.94971
2440
Latin 1 / Western European
English - United States
RT_ICON
3
5.5357
4264
Latin 1 / Western European
English - United States
RT_ICON
4
5.48577
9640
Latin 1 / Western European
English - United States
RT_ICON
5
5.25469
16936
Latin 1 / Western European
English - United States
RT_ICON
6
5.46372
21640
Latin 1 / Western European
English - United States
RT_ICON
7
5.3545
38056
Latin 1 / Western European
English - United States
RT_ICON
8
4.90318
67624
Latin 1 / Western European
English - United States
RT_ICON
4089
3.21823
754
Latin 1 / Western European
UNKNOWN
RT_STRING
4090
3.31515
780
Latin 1 / Western European
UNKNOWN
RT_STRING

Imports

advapi32.dll
advapi32.dll (#2)
comctl32.dll
kernel32.dll
kernel32.dll (#2)
oleaut32.dll
user32.dll
user32.dll (#2)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
17
Malicious processes
8
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start file.exe no specs file.exe is-varhn.tmp #GCLEANER printfolders.exe dd1n0srrne.exe no specs #VIDAR vsea235z.exe qhptbv.exe cmd.exe no specs timeout.exe no specs f1uzopp.exe no specs #AMADEY gntuud.exe schtasks.exe no specs cmd.exe no specs taskkill.exe no specs gntuud.exe no specs rundll32.exe gntuud.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
868"C:\Users\admin\AppData\Local\Temp\file.exe" C:\Users\admin\AppData\Local\Temp\file.exeExplorer.EXE
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
PrintFolders Setup
Exit code:
3221226540
Version:
Modules
Images
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\ntdll.dll
3672"C:\Users\admin\AppData\Local\Temp\file.exe" C:\Users\admin\AppData\Local\Temp\file.exe
Explorer.EXE
User:
admin
Company:
Integrity Level:
HIGH
Description:
PrintFolders Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
2320"C:\Users\admin\AppData\Local\Temp\is-VV33G.tmp\is-VARHN.tmp" /SL4 $30138 "C:\Users\admin\AppData\Local\Temp\file.exe" 3620208 208896 C:\Users\admin\AppData\Local\Temp\is-VV33G.tmp\is-VARHN.tmp
file.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.42.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-vv33g.tmp\is-varhn.tmp
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
2480"C:\Program Files\PrintFolders\PrintFolders.exe" C:\Program Files\PrintFolders\PrintFolders.exe
is-VARHN.tmp
User:
admin
Company:
Atr Software
Integrity Level:
HIGH
Description:
Data Recovery
Exit code:
0
Version:
1.2.3.100
Modules
Images
c:\program files\printfolders\printfolders.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3136 C:\Users\admin\AppData\Roaming\{e29ac6c0-7037-11de-816d-806e6f6e6963}\dD1n0sRRNe.exePrintFolders.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\roaming\{e29ac6c0-7037-11de-816d-806e6f6e6963}\dd1n0srrne.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
3884"C:\Users\admin\AppData\Roaming\D6LN0UJr\VSEa235z.exe"C:\Users\admin\AppData\Roaming\D6LN0UJr\VSEa235z.exe
PrintFolders.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\d6ln0ujr\vsea235z.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
2976"C:\Users\admin\AppData\Roaming\mSew0ZgmvL\QhpTBV.exe"C:\Users\admin\AppData\Roaming\mSew0ZgmvL\QhpTBV.exe
PrintFolders.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\roaming\msew0zgmvl\qhptbv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
3636"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\admin\AppData\Roaming\D6LN0UJr\VSEa235z.exe" & exitC:\Windows\System32\cmd.exeVSEa235z.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3216timeout /t 6 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
452"C:\Users\admin\AppData\Roaming\CopPeGpAA6P\F1UZOpP.exe"C:\Users\admin\AppData\Roaming\CopPeGpAA6P\F1UZOpP.exePrintFolders.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\coppegpaa6p\f1uzopp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
Total events
9 082
Read events
8 969
Write events
111
Delete events
2

Modification events

(PID) Process:(2320) is-VARHN.tmpKey:HKEY_CURRENT_USER\Software\Atzpoint Software\PrintFolders
Operation:writeName:Language
Value:
eng
(PID) Process:(2320) is-VARHN.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
5.1.2-beta
(PID) Process:(2320) is-VARHN.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\PrintFolders
(PID) Process:(2320) is-VARHN.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\PrintFolders\
(PID) Process:(2320) is-VARHN.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
PrintFolders
(PID) Process:(2320) is-VARHN.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(2320) is-VARHN.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:DisplayName
Value:
PrintFolders 3.100
(PID) Process:(2320) is-VARHN.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:DisplayIcon
Value:
C:\Program Files\PrintFolders\PrintFolders.exe
(PID) Process:(2320) is-VARHN.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:UninstallString
Value:
"C:\Program Files\PrintFolders\unins000.exe"
(PID) Process:(2320) is-VARHN.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:QuietUninstallString
Value:
"C:\Program Files\PrintFolders\unins000.exe" /SILENT
Executable files
25
Suspicious files
10
Text files
7
Unknown types
14

Dropped files

PID
Process
Filename
Type
2320is-VARHN.tmpC:\Program Files\PrintFolders\is-89NO2.tmp
MD5:
SHA256:
2320is-VARHN.tmpC:\Program Files\PrintFolders\PrintFolders.exe
MD5:
SHA256:
2320is-VARHN.tmpC:\Users\admin\AppData\Local\Temp\is-EDNF5.tmp\_iscrypt.dllexecutable
MD5:A69559718AB506675E907FE49DEB71E9
SHA256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
2480PrintFolders.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\count[1].htmbinary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
2320is-VARHN.tmpC:\Program Files\PrintFolders\is-4GS8S.tmptext
MD5:C8B211D81EB7D4F9EBB071A117444D51
SHA256:AFD6FEA6A792B722E45A6587F70334F30051798017F4A278508C7ED3FEEA80CC
2320is-VARHN.tmpC:\Program Files\PrintFolders\is-7ON5D.tmpexecutable
MD5:BCD1868E95254F9531A7FF38461C0D72
SHA256:63E895DEBEB29559931040AC4603720233B36C285C9D3F1BAA5A57AC58821A2C
2320is-VARHN.tmpC:\Program Files\PrintFolders\Guide.chmchm
MD5:204A5BF160646F9A55ED70AB6E1A07A6
SHA256:CACDD2C8BFA4BAE33A16A10ED609F4841AC5C4C2FE481ED0FD8CB04BC8016BBD
2320is-VARHN.tmpC:\Program Files\PrintFolders\Russian.dllexecutable
MD5:4FB606EDBDE8EFB6D34E6E1BC5F677F1
SHA256:A960C9DCD1D5C7B79F4FDD38D6F25299F4F7925555E381EA4AB6217681482F62
2320is-VARHN.tmpC:\Program Files\PrintFolders\License.txttext
MD5:A5E8094B0CBADE929AEE07F5DA5E9429
SHA256:F3AC2009C96EB3A42AFAEC7FA67D3A14E5E9E30819B543D572C9BEA790CFCAD1
2320is-VARHN.tmpC:\Program Files\PrintFolders\History.txttext
MD5:C8B211D81EB7D4F9EBB071A117444D51
SHA256:AFD6FEA6A792B722E45A6587F70334F30051798017F4A278508C7ED3FEEA80CC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
12
DNS requests
3
Threats
24

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1492
rundll32.exe
POST
200
77.73.133.72:80
http://77.73.133.72/hfk3vK9/index.php
KZ
malicious
2480
PrintFolders.exe
GET
200
45.139.105.171:80
http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
BG
binary
1 b
unknown
2480
PrintFolders.exe
GET
200
107.182.129.235:80
http://107.182.129.235/storage/ping.php
US
text
17 b
suspicious
2480
PrintFolders.exe
GET
200
171.22.30.106:80
http://171.22.30.106/library.php
GB
executable
386 Kb
suspicious
3884
VSEa235z.exe
GET
200
192.124.249.22:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
der
1.66 Kb
whitelisted
1988
gntuud.exe
POST
77.73.133.72:80
http://77.73.133.72/hfk3vK9/index.php
KZ
malicious
2480
PrintFolders.exe
GET
200
107.182.129.235:80
http://107.182.129.235/storage/extension.php
US
binary
92.0 Kb
suspicious
2480
PrintFolders.exe
GET
200
171.22.30.106:80
http://171.22.30.106/library.php
GB
binary
1 b
suspicious
2480
PrintFolders.exe
GET
200
171.22.30.106:80
http://171.22.30.106/library.php
GB
executable
615 Kb
suspicious
2480
PrintFolders.exe
GET
200
171.22.30.106:80
http://171.22.30.106/library.php
GB
executable
3.78 Mb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2480
PrintFolders.exe
45.139.105.171:80
Xdeer Limited
BG
unknown
1988
gntuud.exe
77.73.133.72:80
Partner LLC
KZ
malicious
3884
VSEa235z.exe
192.124.249.22:80
ocsp.godaddy.com
SUCURI-SEC
US
suspicious
2480
PrintFolders.exe
171.22.30.106:80
Delis LLC
US
suspicious
2480
PrintFolders.exe
107.182.129.235:80
Delis LLC
US
suspicious
1492
rundll32.exe
77.73.133.72:80
Partner LLC
KZ
malicious
3884
VSEa235z.exe
195.201.250.87:80
Hetzner Online GmbH
DE
malicious
3884
VSEa235z.exe
8.248.149.254:80
ctldl.windowsupdate.com
LEVEL3
US
suspicious
3884
VSEa235z.exe
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
malicious

DNS requests

Domain
IP
Reputation
t.me
  • 149.154.167.99
whitelisted
ctldl.windowsupdate.com
  • 8.248.149.254
  • 8.248.143.254
  • 8.248.113.254
  • 8.248.119.254
  • 8.248.117.254
whitelisted
ocsp.godaddy.com
  • 192.124.249.22
  • 192.124.249.23
  • 192.124.249.24
  • 192.124.249.36
  • 192.124.249.41
whitelisted

Threats

PID
Process
Class
Message
2480
PrintFolders.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 9
2480
PrintFolders.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2480
PrintFolders.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
2480
PrintFolders.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2480
PrintFolders.exe
Misc activity
ET INFO Packed Executable Download
2480
PrintFolders.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
2480
PrintFolders.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3884
VSEa235z.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host ZIP Request
3884
VSEa235z.exe
A Network Trojan was detected
ET TROJAN Arkei/Vidar/Mars Stealer Variant
2480
PrintFolders.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2 ETPRO signatures available at the full report
No debug info