File name:

Vidar.bin.zip

Full analysis: https://app.any.run/tasks/2e6aa81e-a66f-4893-a027-d0e84335974f
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: September 23, 2020, 14:25:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
stealer
vidar
evasion
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

05E0C6151E99ADA1D41A9DB28AE69F49

SHA1:

84761D825FCB7F10D928801786284C47502359EA

SHA256:

2EA4F481286B48D3A004A6E1B14EB2FC360C810BBD0978B347074539E562D8D1

SSDEEP:

24576:LgqKPf2iMW7VRgznhmWbyB+8leYoZz9DXEN:EqyZMWjgJuB+8leYwZUN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • asd.exe (PID: 2584)
      • IPVAZJHRD.exe (PID: 2712)

    • VIDAR was detected

      • IPVAZJHRD.exe (PID: 2712)

    • Actions looks like stealing of personal data

      • IPVAZJHRD.exe (PID: 2712)

    • Stealing of credential data

      • IPVAZJHRD.exe (PID: 2712)

    • Changes settings of System certificates

      • IPVAZJHRD.exe (PID: 2712)

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • IPVAZJHRD.exe (PID: 2712)

    • Searches for installed software

      • IPVAZJHRD.exe (PID: 2712)

    • Executable content was dropped or overwritten

      • asd.exe (PID: 2584)

    • Creates files in the program directory

      • IPVAZJHRD.exe (PID: 2712)

    • Checks for external IP

      • IPVAZJHRD.exe (PID: 2712)

    • Adds / modifies Windows certificates

      • IPVAZJHRD.exe (PID: 2712)

  • INFO

    • Manual execution by user

      • asd.exe (PID: 2584)
      • IPVAZJHRD.exe (PID: 2712)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 788
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2020:09:23 14:24:28
ZipCRC: 0xb2c8781a
ZipCompressedSize: 951320
ZipUncompressedSize: 1545728
ZipFileName: Vidar Stealer Cracked [XakFor.Net].bin
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs asd.exe #VIDAR ipvazjhrd.exe

Process information

PID
CMD
Path
Indicators
Parent process
1588"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Vidar.bin.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2584"C:\Users\admin\Desktop\asd.exe" C:\Users\admin\Desktop\asd.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Vidar Stealer Cracked [XakFor.Net]
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\asd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2712"C:\Users\admin\Desktop\IPVAZJHRD.exe" C:\Users\admin\Desktop\IPVAZJHRD.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\ipvazjhrd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
1 046
Read events
942
Write events
98
Delete events
6

Modification events

(PID) Process:(1588) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1588) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1588) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1588) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Vidar.bin.zip
(PID) Process:(1588) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1588) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1588) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1588) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1588) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(1588) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
1
Suspicious files
9
Text files
13
Unknown types
5

Dropped files

PID
Process
Filename
Type
1588WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1588.47050\Vidar Stealer Cracked [XakFor.Net].bin
MD5:
SHA256:
2584asd.exeC:\Users\admin\Desktop\stub.bin
MD5:
SHA256:
2712IPVAZJHRD.exeC:\Users\admin\AppData\Local\Temp\CabEFB1.tmp
MD5:
SHA256:
2712IPVAZJHRD.exeC:\Users\admin\AppData\Local\Temp\TarEFB2.tmp
MD5:
SHA256:
2584asd.exeC:\Users\admin\Desktop\IPVAZJHRD.exeexecutable
MD5:
SHA256:
2712IPVAZJHRD.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4Fder
MD5:
SHA256:
2712IPVAZJHRD.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FC5A820A001B41D68902E051F36A5282_8E3C8134D7E3FD33F7D0A675B9ADD655der
MD5:
SHA256:
2712IPVAZJHRD.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894binary
MD5:
SHA256:
2712IPVAZJHRD.exeC:\ProgramData\VE9DXH5EESGRAXP7110W\files\outlook.txt
MD5:
SHA256:
2712IPVAZJHRD.exeC:\ProgramData\VE9DXH5EESGRAXP7110W\files\information.txt
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
9
DNS requests
7
Threats
31

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2712
IPVAZJHRD.exe
GET
200
13.35.253.148:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
US
der
1.51 Kb
whitelisted
2712
IPVAZJHRD.exe
POST
307
143.204.215.24:80
http://klick.com/
US
html
185 b
malicious
2712
IPVAZJHRD.exe
GET
200
143.204.208.160:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
US
der
1.70 Kb
whitelisted
2712
IPVAZJHRD.exe
GET
200
13.35.253.198:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D
US
der
1.39 Kb
shared
2712
IPVAZJHRD.exe
POST
307
143.204.215.24:80
http://klick.com/
US
html
185 b
malicious
2712
IPVAZJHRD.exe
GET
301
143.204.215.24:80
http://klick.com/msvcp140.dll
US
html
183 b
malicious
2712
IPVAZJHRD.exe
POST
200
208.95.112.1:80
http://ip-api.com/line/
unknown
text
192 b
malicious
2712
IPVAZJHRD.exe
GET
301
143.204.215.24:80
http://klick.com/softokn3.dll
US
html
183 b
malicious
2712
IPVAZJHRD.exe
GET
301
143.204.215.24:80
http://klick.com/nss3.dll
US
html
183 b
malicious
2712
IPVAZJHRD.exe
GET
301
143.204.215.24:80
http://klick.com/freebl3.dll
US
html
183 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2712
IPVAZJHRD.exe
143.204.208.79:80
o.ss2.us
US
whitelisted
2712
IPVAZJHRD.exe
13.35.253.198:80
ocsp.rootg2.amazontrust.com
US
whitelisted
2712
IPVAZJHRD.exe
208.95.112.1:80
ip-api.com
IBURST
malicious
2712
IPVAZJHRD.exe
143.204.208.160:80
o.ss2.us
US
malicious
2712
IPVAZJHRD.exe
13.35.253.148:80
ocsp.rootg2.amazontrust.com
US
whitelisted
2712
IPVAZJHRD.exe
143.204.215.46:443
klick.com
US
suspicious
2712
IPVAZJHRD.exe
143.204.215.24:443
klick.com
US
malicious
2712
IPVAZJHRD.exe
143.204.215.24:80
klick.com
US
malicious

DNS requests

Domain
IP
Reputation
klick.com
  • 143.204.215.24
  • 143.204.215.114
  • 143.204.215.33
  • 143.204.215.46
malicious
o.ss2.us
  • 143.204.208.160
  • 143.204.208.127
  • 143.204.208.79
  • 143.204.208.165
whitelisted
ocsp.rootg2.amazontrust.com
  • 13.35.253.148
  • 13.35.253.185
  • 13.35.253.5
  • 13.35.253.198
whitelisted
ocsp.rootca1.amazontrust.com
  • 13.35.253.198
  • 13.35.253.5
  • 13.35.253.185
  • 13.35.253.148
shared
ocsp.sca1b.amazontrust.com
  • 143.204.208.79
  • 143.204.208.173
  • 143.204.208.150
  • 143.204.208.145
whitelisted
www.klick.com
  • 143.204.215.46
  • 143.204.215.33
  • 143.204.215.114
  • 143.204.215.24
malicious
ip-api.com
  • 208.95.112.1
malicious

Threats

PID
Process
Class
Message
2712
IPVAZJHRD.exe
A Network Trojan was detected
SUSPICIOUS [PTsecurity] Possible Generic.Trojan Boundary
2712
IPVAZJHRD.exe
A Network Trojan was detected
STEALER [PTsecurity] Arkei/Vidar Stealer
2712
IPVAZJHRD.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
2712
IPVAZJHRD.exe
A Network Trojan was detected
SUSPICIOUS [PTsecurity] Possible Generic.Trojan Boundary
2712
IPVAZJHRD.exe
A Network Trojan was detected
STEALER [PTsecurity] Arkei/Vidar Stealer
2712
IPVAZJHRD.exe
A Network Trojan was detected
ET TROJAN Vidar/Arkei Stealer Client Data Upload
2712
IPVAZJHRD.exe
A Network Trojan was detected
ET TROJAN Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
2712
IPVAZJHRD.exe
A Network Trojan was detected
STEALER [PTsecurity] Generic Stealers activity (Nocturnal/Vidar)
2712
IPVAZJHRD.exe
A Network Trojan was detected
SUSPICIOUS [PTsecurity] Possible Generic.Trojan Boundary
2712
IPVAZJHRD.exe
A Network Trojan was detected
STEALER [PTsecurity] Vidar
10 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Vidar.bin.zip