analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

output.exe

Full analysis: https://app.any.run/tasks/e58ddefc-32bc-4421-b79c-e0fae7664a55
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Analysis date: July 12, 2020, 15:43:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
trojan
stealer
vidar
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

3DE6EE18556D6366CA17A3795C9387CD

SHA1:

EC0C58E2B895AC5522E941F1A6A54BD78D63B466

SHA256:

314604A30B81C804A3D8FE8739B554E9B37EEE87443CB8B14E91F857E19AF90B

SSDEEP:

98304:ixQa8S1WyPdFdBAETIEbFc/LUZqTxQepkes+i/MJ:BaZ0yldxTIP/L0qltpkes7/M

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • file_exe.exe (PID: 572)
    • VIDAR was detected

      • file_exe.exe (PID: 572)
    • Loads dropped or rewritten executable

      • output.exe (PID: 3300)
      • file_exe.exe (PID: 572)
    • Stealing of credential data

      • file_exe.exe (PID: 572)
    • Actions looks like stealing of personal data

      • file_exe.exe (PID: 572)
  • SUSPICIOUS

    • Application launched itself

      • output.exe (PID: 2128)
    • Executable content was dropped or overwritten

      • output.exe (PID: 2128)
      • output.exe (PID: 3300)
      • file_exe.exe (PID: 572)
    • Loads Python modules

      • output.exe (PID: 3300)
    • Starts CMD.EXE for commands execution

      • output.exe (PID: 3300)
      • file_exe.exe (PID: 572)
    • Reads Internet Cache Settings

      • file_exe.exe (PID: 572)
    • Creates files in the program directory

      • file_exe.exe (PID: 572)
    • Reads the cookies of Mozilla Firefox

      • file_exe.exe (PID: 572)
    • Creates files in the user directory

      • file_exe.exe (PID: 572)
    • Reads the cookies of Google Chrome

      • file_exe.exe (PID: 572)
    • Searches for installed software

      • file_exe.exe (PID: 572)
    • Checks for external IP

      • file_exe.exe (PID: 572)
    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 860)
  • INFO

    • Manual execution by user

      • WINWORD.EXE (PID: 3592)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3592)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3592)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:01:05 13:16:15+01:00
PEType: PE32
LinkerVersion: 14
CodeSize: 128512
InitializedDataSize: 180224
UninitializedDataSize: -
EntryPoint: 0x7a6a
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows command line

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date: 05-Jan-2020 12:16:15

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 05-Jan-2020 12:16:15
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0001F4D4
0x0001F600
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.6643
.rdata
0x00021000
0x0000B19E
0x0000B200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.11204
.data
0x0002D000
0x0000E680
0x00000A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.93811
.gfids
0x0003C000
0x000000B8
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
1.86299
.rsrc
0x0003D000
0x0001E830
0x0001EA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.48108
.reloc
0x0005C000
0x000017D4
0x00001800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.65456

Resources

Title
Entropy
Size
Codepage
Language
Type
0
1.98048
20
Latin 1 / Western European
UNKNOWN
RT_GROUP_ICON
1
5.30126
1007
Latin 1 / Western European
UNKNOWN
RT_MANIFEST
2
6.05629
2216
Latin 1 / Western European
UNKNOWN
RT_ICON
3
5.5741
1384
Latin 1 / Western European
UNKNOWN
RT_ICON
4
7.95079
37019
Latin 1 / Western European
UNKNOWN
RT_ICON
5
5.29119
9640
Latin 1 / Western European
UNKNOWN
RT_ICON
6
5.43869
4264
Latin 1 / Western European
UNKNOWN
RT_ICON
7
5.89356
1128
Latin 1 / Western European
UNKNOWN
RT_ICON
101
2.71858
104
Latin 1 / Western European
UNKNOWN
RT_GROUP_ICON

Imports

ADVAPI32.dll
KERNEL32.dll
WS2_32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
7
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start output.exe output.exe cmd.exe no specs #VIDAR file_exe.exe cmd.exe no specs taskkill.exe no specs winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2128"C:\Users\admin\AppData\Local\Temp\output.exe" C:\Users\admin\AppData\Local\Temp\output.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3300"C:\Users\admin\AppData\Local\Temp\output.exe" C:\Users\admin\AppData\Local\Temp\output.exe
output.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
664C:\Windows\system32\cmd.exe /c file_exe.exeC:\Windows\system32\cmd.exeoutput.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
572file_exe.exeC:\Users\admin\AppData\Local\Temp\file_exe.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
860"C:\Windows\System32\cmd.exe" /c taskkill /im file_exe.exe /f & erase C:\Users\admin\AppData\Local\Temp\file_exe.exe & exitC:\Windows\System32\cmd.exefile_exe.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3964taskkill /im file_exe.exe /f C:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3592"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\noticed.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Total events
805
Read events
543
Write events
0
Delete events
0

Modification events

No data
Executable files
21
Suspicious files
0
Text files
11
Unknown types
9

Dropped files

PID
Process
Filename
Type
2128output.exeC:\Users\admin\AppData\Local\Temp\_MEI21282\output.exe.manifestxml
MD5:98732938E9F31C74F1E598E3D7F29360
SHA256:F0A586239E24994CBABB2E05D9C6C10118C279BA06FBEB2B2B4E03BD225DEE33
3300output.exeC:\Users\admin\AppData\Local\Temp\file_exe.exeexecutable
MD5:1B54E9F6BA3A1CAA21B6D12895E34CDB
SHA256:8E37B2ABDF3625B334F49A230A6A8B4603BE97A8150C01641B9F41E7B58C0C8B
2128output.exeC:\Users\admin\AppData\Local\Temp\_MEI21282\select.pydexecutable
MD5:BDC7B944B9319F9708AF1949B42BAE4B
SHA256:83B5C76D938BC50E58C851D56EF8CBC1001D2E81A1E1F8F5DFED2245244C1472
2128output.exeC:\Users\admin\AppData\Local\Temp\_MEI21282\Microsoft.VC90.CRT.manifestxml
MD5:37AC76D10C5C1C224F93023120AE3B55
SHA256:2005EA8103589A4E4C9D26B61B00A81B0F4E0573A0C447617163FAC87D79BED2
2128output.exeC:\Users\admin\AppData\Local\Temp\_MEI21282\unicodedata.pydexecutable
MD5:CFA3517E25C37E808AF38FBEAF7F456E
SHA256:061926AEAAF4F7E0212552CD4BB5D6AF0E8607EC77F6EB836B6612AB86645AC9
2128output.exeC:\Users\admin\AppData\Local\Temp\_MEI21282\msvcr90.dllexecutable
MD5:11D49148A302DE4104DED6A92B78B0ED
SHA256:CEB0947D898BC2A55A50F092F5ED3F7BE64AC1CD4661022EEFD3EDD4029213B0
572file_exe.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\mozglue[1].dllexecutable
MD5:8F73C08A9660691143661BF7332C3C27
SHA256:3FE6B1C54B8CF28F571E0C5D6636B4069A8AB00B4F11DD842CFEC00691D0C9CD
2128output.exeC:\Users\admin\AppData\Local\Temp\_MEI21282\msvcp90.dllexecutable
MD5:90A32D8E07F7FB3D102EAB1DA28F0723
SHA256:004ED24507DC7307CEC1A3732FA57EABF19E918C3E1B54561E6CC01F554C0B77
2128output.exeC:\Users\admin\AppData\Local\Temp\_MEI21282\_hashlib.pydexecutable
MD5:24C2F70FF5C6EADDB995F2CBB4BC4890
SHA256:8DCEAFAAEC28740385B1CB8CF2655DB68ECF2E561053BFE494795019542491E4
572file_exe.exeC:\ProgramData\5EX8EO7KBU21SKU09RCHBQVCW\c-shm
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
572
file_exe.exe
POST
200
208.95.112.1:80
http://ip-api.com/line/
unknown
text
161 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
572
file_exe.exe
208.95.112.1:80
ip-api.com
IBURST
malicious
572
file_exe.exe
78.142.29.223:80
mammalson.com
BlueAngelHost Pvt. Ltd
BG
malicious

DNS requests

Domain
IP
Reputation
mammalson.com
  • 78.142.29.223
malicious
ip-api.com
  • 208.95.112.1
shared

Threats

PID
Process
Class
Message
572
file_exe.exe
A Network Trojan was detected
SUSPICIOUS [PTsecurity] Possible Generic.Trojan Boundary
572
file_exe.exe
A Network Trojan was detected
STEALER [PTsecurity] Arkei/Vidar Stealer
572
file_exe.exe
A Network Trojan was detected
STEALER [PTsecurity] Arkei/Vidar Stealer HTTP Response
572
file_exe.exe
A Network Trojan was detected
STEALER [PTsecurity] Vidar Stealer Server Response
572
file_exe.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
572
file_exe.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
572
file_exe.exe
A Network Trojan was detected
SUSPICIOUS [PTsecurity] Possible Generic.Trojan Boundary
572
file_exe.exe
A Network Trojan was detected
STEALER [PTsecurity] Arkei/Vidar Stealer
572
file_exe.exe
A Network Trojan was detected
SUSPICIOUS [PTsecurity] Possible Generic.Trojan Boundary
572
file_exe.exe
A Network Trojan was detected
STEALER [PTsecurity] Arkei/Vidar Stealer
4 ETPRO signatures available at the full report
No debug info