File name:

581beb90d3a95664ad5324ed52b99c37b22d68615f5395fb2aaec375bb11ffef.exe

Full analysis: https://app.any.run/tasks/bf39c027-7780-4c50-b6b4-b445a5c51ef5
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 21, 2024, 20:31:54
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
vidar
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

F2959059828270BA768B14E728326811

SHA1:

E30D676FE5B2526EE5BB757CDD6F280447014C0E

SHA256:

581BEB90D3A95664AD5324ED52B99C37B22D68615F5395FB2AAEC375BB11FFEF

SSDEEP:

98304:/keY8SWjgKG+wYMPkAhVIDT2GDk2iJxS0irxAN5bz:e

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 581beb90d3a95664ad5324ed52b99c37b22d68615f5395fb2aaec375bb11ffef.exe (PID: 2680)
      • kat4999.tmp (PID: 5244)

    • VIDAR has been detected (YARA)

      • kat4999.tmp (PID: 5244)

    • Actions looks like stealing of personal data

      • kat4999.tmp (PID: 5244)

    • Steals credentials from Web Browsers

      • kat4999.tmp (PID: 5244)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 581beb90d3a95664ad5324ed52b99c37b22d68615f5395fb2aaec375bb11ffef.exe (PID: 2680)

    • Starts application with an unusual extension

      • 581beb90d3a95664ad5324ed52b99c37b22d68615f5395fb2aaec375bb11ffef.exe (PID: 2680)

    • Reads security settings of Internet Explorer

      • kat4999.tmp (PID: 5244)

    • Checks Windows Trust Settings

      • kat4999.tmp (PID: 5244)

    • Searches for installed software

      • kat4999.tmp (PID: 5244)

    • Connects to the server without a host name

      • kat4999.tmp (PID: 5244)

    • Process requests binary or script from the Internet

      • kat4999.tmp (PID: 5244)

  • INFO

    • Checks supported languages

      • kat4999.tmp (PID: 5244)
      • 581beb90d3a95664ad5324ed52b99c37b22d68615f5395fb2aaec375bb11ffef.exe (PID: 2680)

    • Reads the computer name

      • kat4999.tmp (PID: 5244)

    • Checks proxy server information

      • kat4999.tmp (PID: 5244)

    • Creates files in the program directory

      • kat4999.tmp (PID: 5244)

    • Reads the machine GUID from the registry

      • kat4999.tmp (PID: 5244)

    • Reads the software policy settings

      • kat4999.tmp (PID: 5244)

    • Creates files or folders in the user directory

      • kat4999.tmp (PID: 5244)

    • Reads product name

      • kat4999.tmp (PID: 5244)

    • Reads Environment values

      • kat4999.tmp (PID: 5244)

    • Reads CPU info

      • kat4999.tmp (PID: 5244)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 7 (66)
.exe | Win32 Executable Borland Delphi 6 (26)
.exe | Win32 EXE PECompact compressed (generic) (4.1)
.exe | Win32 Executable Delphi generic (1.4)
.scr | Windows screen saver (1.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 656384
InitializedDataSize: 1528320
UninitializedDataSize: -
EntryPoint: 0xa12f0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 581beb90d3a95664ad5324ed52b99c37b22d68615f5395fb2aaec375bb11ffef.exe #VIDAR kat4999.tmp filecoauth.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2492C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
2680"C:\Users\admin\Desktop\581beb90d3a95664ad5324ed52b99c37b22d68615f5395fb2aaec375bb11ffef.exe" C:\Users\admin\Desktop\581beb90d3a95664ad5324ed52b99c37b22d68615f5395fb2aaec375bb11ffef.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\581beb90d3a95664ad5324ed52b99c37b22d68615f5395fb2aaec375bb11ffef.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5244C:\Users\admin\AppData\Local\Temp\kat4999.tmpC:\Users\admin\AppData\Local\Temp\kat4999.tmp
581beb90d3a95664ad5324ed52b99c37b22d68615f5395fb2aaec375bb11ffef.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Resource viewer, decompiler & recompiler.
Exit code:
0
Version:
3.4.0.79
Modules
Images
c:\users\admin\appdata\local\temp\kat4999.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
4 310
Read events
4 299
Write events
11
Delete events
0

Modification events

(PID) Process:(5244) kat4999.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5244) kat4999.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5244) kat4999.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5244) kat4999.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5244) kat4999.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(5244) kat4999.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(5244) kat4999.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
1
Suspicious files
2
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2680581beb90d3a95664ad5324ed52b99c37b22d68615f5395fb2aaec375bb11ffef.exeC:\Users\admin\AppData\Local\Temp\kat4999.tmpexecutable
MD5:66064DBDB70A5EB15EBF3BF65ABA254B
SHA256:6A94DBDA2DD1EDCFF2331061D65E1BAF09D4861CC7BA590C5EC754F3AC96A795
2492FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-05-21.2033.2492.1.aodlbinary
MD5:28DCA2FF4B34B5A52A2E59DF202A6ED3
SHA256:33BACCB7296F1ED1F995FC77A23049F261CF391AC0388F9E8DD161F8C17B7F94
2492FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-05-21.2033.2492.1.odlbinary
MD5:0E168E787F9BEFA99606449B8DF40019
SHA256:E63598FF4C7A13E6C00849323B8EC1DA1FAA2974B84E44892B174BD614E0C92B
5244kat4999.tmpC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\76561199689717899[1].htmhtml
MD5:2A95C6B1ADA1547464E3FA76F8740197
SHA256:4AD5929228DE69CE9AE45BEF60C29AE2ED1121A02A89B3111CB004A5B6008103
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
31
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1744
RUXIMICS.exe
GET
200
72.247.176.73:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1744
RUXIMICS.exe
GET
200
92.122.89.124:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
92.122.89.124:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5244
kat4999.tmp
GET
200
142.250.185.196:443
https://78.47.123.174/
unknown
5244
kat4999.tmp
GET
200
96.7.6.111:443
https://steamcommunity.com/profiles/76561199689717899
unknown
html
33.9 Kb
POST
200
142.250.185.196:443
https://78.47.123.174/
unknown
text
58 b
5244
kat4999.tmp
GET
200
142.250.185.196:443
https://78.47.123.174/sqls.dll
unknown
executable
2.35 Mb
5244
kat4999.tmp
POST
200
142.250.185.196:443
https://78.47.123.174/
unknown
text
5 b
5244
kat4999.tmp
POST
200
142.250.185.196:443
https://78.47.123.174/
unknown
text
2 b
2908
OfficeClickToRun.exe
POST
200
13.89.179.13:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
unknown
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1744
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5140
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1744
RUXIMICS.exe
72.247.176.73:80
crl.microsoft.com
Akamai International B.V.
GB
unknown
1744
RUXIMICS.exe
92.122.89.124:80
www.microsoft.com
Akamai International B.V.
NL
unknown
5244
kat4999.tmp
96.7.6.111:443
steamcommunity.com
INTERNEXA S.A. E.S.P
CO
unknown
5140
MoUsoCoreWorker.exe
92.122.89.124:80
www.microsoft.com
Akamai International B.V.
NL
unknown
5632
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 72.247.176.73
  • 95.101.63.66
whitelisted
www.microsoft.com
  • 92.122.89.124
whitelisted
steamcommunity.com
  • 96.7.6.111
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
self.events.data.microsoft.com
  • 52.168.117.169
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
581beb90d3a95664ad5324ed52b99c37b22d68615f5395fb2aaec375bb11ffef.exe