File name:

1.bin

Full analysis: https://app.any.run/tasks/08f7fd51-024e-4aa0-a2f8-661362f8b398
Verdict: Malicious activity
Threats:

Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This upgraded version of Arkei stealer has been terrorizing the internet since 2018.

Analysis date: December 06, 2022, 02:14:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
ransomware
stop
loader
stealer
vidar
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

F608DC8BF90AD1E12AA2288FD754465A

SHA1:

388FFB1B0838745F479DA7D33301A9CBC16EB8B9

SHA256:

D2002A6D2FCB905DE51CC5C9487D373E4C8894D91E81CE575698AECA556814CE

SSDEEP:

12288:w+PkEd8Y/WYgrUxi/37xZ3Ev4csYklZV318NUMY+vbp6Fy6nDchcVS:w+Pdd84i3tBOGXV31e1MFx4+U

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • 1.bin.exe (PID: 404)
    • Stop is detected

      • 1.bin.exe (PID: 2864)
      • 1.bin.exe (PID: 1640)
    • Application was dropped or rewritten from another process

      • build2.exe (PID: 2444)
      • build2.exe (PID: 3596)
      • build3.exe (PID: 1796)
      • mstsca.exe (PID: 3792)
    • Renames files like ransomware

      • 1.bin.exe (PID: 1640)
    • Drops the executable file immediately after the start

      • build3.exe (PID: 1796)
      • build2.exe (PID: 3596)
    • Loads dropped or rewritten executable

      • build2.exe (PID: 3596)
    • Steals credentials from Web Browsers

      • build2.exe (PID: 3596)
    • VIDAR was detected

      • build2.exe (PID: 3596)
  • SUSPICIOUS

    • Reads the Internet Settings

      • 1.bin.exe (PID: 404)
      • 1.bin.exe (PID: 2864)
      • 1.bin.exe (PID: 1640)
      • build2.exe (PID: 3596)
    • Reads security settings of Internet Explorer

      • 1.bin.exe (PID: 404)
      • 1.bin.exe (PID: 2864)
      • 1.bin.exe (PID: 1640)
      • build2.exe (PID: 3596)
    • Application launched itself

      • 1.bin.exe (PID: 1756)
      • 1.bin.exe (PID: 404)
      • 1.bin.exe (PID: 2592)
      • 1.bin.exe (PID: 1220)
      • build2.exe (PID: 2444)
    • Checks Windows Trust Settings

      • 1.bin.exe (PID: 404)
      • 1.bin.exe (PID: 2864)
      • 1.bin.exe (PID: 1640)
      • build2.exe (PID: 3596)
    • Reads settings of System Certificates

      • 1.bin.exe (PID: 404)
      • 1.bin.exe (PID: 2864)
      • 1.bin.exe (PID: 1640)
      • build2.exe (PID: 3596)
    • Adds/modifies Windows certificates

      • 1.bin.exe (PID: 404)
      • 1.bin.exe (PID: 2864)
    • Process requests binary or script from the Internet

      • 1.bin.exe (PID: 2864)
    • Executes via Task Scheduler

      • 1.bin.exe (PID: 1220)
      • mstsca.exe (PID: 3792)
    • Executable content was dropped or overwritten

      • build3.exe (PID: 1796)
      • build2.exe (PID: 3596)
    • Reads browser cookies

      • build2.exe (PID: 3596)
    • Connects to the server without a host name

      • build2.exe (PID: 3596)
    • Searches for installed software

      • build2.exe (PID: 3596)
  • INFO

    • Reads the computer name

      • 1.bin.exe (PID: 404)
      • 1.bin.exe (PID: 2864)
      • 1.bin.exe (PID: 1640)
      • build2.exe (PID: 3596)
    • Checks proxy server information

      • 1.bin.exe (PID: 404)
      • 1.bin.exe (PID: 2864)
      • 1.bin.exe (PID: 1640)
      • build2.exe (PID: 3596)
    • Checks supported languages

      • 1.bin.exe (PID: 404)
      • 1.bin.exe (PID: 1756)
      • 1.bin.exe (PID: 2592)
      • 1.bin.exe (PID: 2864)
      • 1.bin.exe (PID: 1220)
      • 1.bin.exe (PID: 1640)
      • build2.exe (PID: 2444)
      • build2.exe (PID: 3596)
      • build3.exe (PID: 1796)
      • mstsca.exe (PID: 3792)
    • Manual execution by a user

      • mmc.exe (PID: 3412)
      • mmc.exe (PID: 3232)
      • explorer.exe (PID: 3416)
      • NOTEPAD.EXE (PID: 3404)
    • Dropped object may contain Bitcoin addresses

      • build3.exe (PID: 1796)
    • Reads product name

      • build2.exe (PID: 3596)
    • Reads Environment values

      • build2.exe (PID: 3596)
    • Drops a file that was compiled in debug mode

      • build2.exe (PID: 3596)
    • Creates files in the program directory

      • build2.exe (PID: 3596)
    • Reads the CPU's name

      • build2.exe (PID: 3596)
    • Reads CPU info

      • build2.exe (PID: 3596)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2022-May-09 21:31:17
Debug artifacts:
  • C:\ziwecixuve\rupu xuca72 balin.pdb

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: 0
e_cparhdr: 4
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 0
e_oeminfo: 0
e_lfanew: 224

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 3
TimeDateStamp: 2022-May-09 21:31:17
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
106588
107008
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.34364
.data
114688
710888
600064
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99279
.rsrc
827392
102488
102912
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.51356

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.33895
1736
UNKNOWN
UNKNOWN
RT_ICON
2
5.47765
1384
UNKNOWN
UNKNOWN
RT_ICON
3
5.08275
4264
UNKNOWN
UNKNOWN
RT_ICON
4
5.44877
1128
UNKNOWN
UNKNOWN
RT_ICON
5
5.72523
2216
UNKNOWN
UNKNOWN
RT_ICON
6
5.98694
1736
UNKNOWN
UNKNOWN
RT_ICON
7
5.89149
1384
UNKNOWN
UNKNOWN
RT_ICON
8
5.11653
4264
UNKNOWN
UNKNOWN
RT_ICON
9
4.66394
2440
UNKNOWN
UNKNOWN
RT_ICON
10
4.73079
1128
UNKNOWN
UNKNOWN
RT_ICON

Imports

GDI32.dll
KERNEL32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
68
Monitored processes
19
Malicious processes
9
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start 1.bin.exe no specs 1.bin.exe icacls.exe no specs 1.bin.exe #STOP 1.bin.exe mmc.exe no specs mmc.exe 1.bin.exe no specs #STOP 1.bin.exe build2.exe no specs #VIDAR build2.exe build3.exe schtasks.exe no specs cmd.exe no specs timeout.exe no specs explorer.exe no specs notepad.exe no specs mstsca.exe no specs schtasks.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1756"C:\Users\admin\Desktop\1.bin.exe" C:\Users\admin\Desktop\1.bin.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\1.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
404"C:\Users\admin\Desktop\1.bin.exe" C:\Users\admin\Desktop\1.bin.exe
1.bin.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\1.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
3476icacls "C:\Users\admin\AppData\Local\755bb92d-64e2-4215-a6bd-64ab3a87e6ed" /deny *S-1-1-0:(OI)(CI)(DE,DC)C:\Windows\system32\icacls.exe1.bin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
2592"C:\Users\admin\Desktop\1.bin.exe" --Admin IsNotAutoStart IsNotTaskC:\Users\admin\Desktop\1.bin.exe
1.bin.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\1.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
2864"C:\Users\admin\Desktop\1.bin.exe" --Admin IsNotAutoStart IsNotTaskC:\Users\admin\Desktop\1.bin.exe
1.bin.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\1.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
3232"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /sC:\Windows\system32\mmc.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Management Console
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\mmc.exe
c:\windows\system32\ntdll.dll
3412"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /sC:\Windows\system32\mmc.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Management Console
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\mmc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
1220C:\Users\admin\AppData\Local\755bb92d-64e2-4215-a6bd-64ab3a87e6ed\1.bin.exe --TaskC:\Users\admin\AppData\Local\755bb92d-64e2-4215-a6bd-64ab3a87e6ed\1.bin.exetaskeng.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\755bb92d-64e2-4215-a6bd-64ab3a87e6ed\1.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
1640C:\Users\admin\AppData\Local\755bb92d-64e2-4215-a6bd-64ab3a87e6ed\1.bin.exe --TaskC:\Users\admin\AppData\Local\755bb92d-64e2-4215-a6bd-64ab3a87e6ed\1.bin.exe
1.bin.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\755bb92d-64e2-4215-a6bd-64ab3a87e6ed\1.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
2444"C:\Users\admin\AppData\Local\b5a59be5-976f-4abb-b6d5-371ae575b401\build2.exe" C:\Users\admin\AppData\Local\b5a59be5-976f-4abb-b6d5-371ae575b401\build2.exe1.bin.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\b5a59be5-976f-4abb-b6d5-371ae575b401\build2.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\winhttp.dll
Total events
17 428
Read events
17 209
Write events
211
Delete events
8

Modification events

(PID) Process:(404) 1.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(404) 1.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(404) 1.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(404) 1.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(404) 1.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(404) 1.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(404) 1.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(404) 1.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(404) 1.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(404) 1.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadDecisionReason
Value:
1
Executable files
12
Suspicious files
60
Text files
80
Unknown types
21

Dropped files

PID
Process
Filename
Type
4041.bin.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Ebinary
MD5:CFC12F4DC31F0BD39503356EFAA7A12C
SHA256:081DC34895EC7E209C790ABA4783C50A0F981760E56B01085C953930DE6F474C
4041.bin.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:F7DCB24540769805E5BB30D193944DCE
SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA
4041.bin.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850Dder
MD5:97ACF0930CE9F2F69D40ED8E1178CEC6
SHA256:B38F02DE41DBB7DB433A5F440DFF85432150FF71D53B7EF8792D96DA80962343
4041.bin.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850Dbinary
MD5:D58487F15C1D9CF35AB22CC597B6BFB1
SHA256:25CA2C9EA1361E9395B3489BF6CEE96B22A5BED65DA39F22087FA3A3386A41AD
4041.bin.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:082BB9AC650184F3814C593968F38106
SHA256:199A302793E3B52EE5BBE1D2E59074713F89900EE474556F07F20B1C49C218F0
4041.bin.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Eder
MD5:C51850A96D359A09A3A3A2249C52A92D
SHA256:D66175EC867BEE8F450F2F3AD05D9D161384241244E6D5CF791A608DD31EF175
4041.bin.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\geo[1].jsonbinary
MD5:B4D45C480058D08F9A042E5441513E28
SHA256:6AA178C9C7B0E58CCAC7442D7D151D280395F22A879482CB7C70471E97F666A3
4041.bin.exeC:\Users\admin\AppData\Local\755bb92d-64e2-4215-a6bd-64ab3a87e6ed\1.bin.exeexecutable
MD5:F608DC8BF90AD1E12AA2288FD754465A
SHA256:D2002A6D2FCB905DE51CC5C9487D373E4C8894D91E81CE575698AECA556814CE
28641.bin.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\get[1].htmbinary
MD5:AD1840D103057F75EE5062955533A970
SHA256:D44AD35C319EBDB84526B6C744DC739E000C641FD482DE5F687504BFB957DDD1
28641.bin.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\geo[1].jsonbinary
MD5:B4D45C480058D08F9A042E5441513E28
SHA256:6AA178C9C7B0E58CCAC7442D7D151D280395F22A879482CB7C70471E97F666A3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
15
DNS requests
9
Threats
23

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
404
1.bin.exe
GET
200
8.241.89.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?068e6a04bf60b030
US
compressed
4.70 Kb
whitelisted
404
1.bin.exe
GET
200
104.18.32.68:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
US
der
1.42 Kb
whitelisted
404
1.bin.exe
GET
200
104.18.32.68:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
2.18 Kb
whitelisted
2864
1.bin.exe
GET
200
190.140.74.43:80
http://uaery.top/dl/build2.exe
PA
executable
258 Kb
malicious
2864
1.bin.exe
GET
200
222.236.49.123:80
http://fresherlights.com/lancer/get.php?pid=6E3AAB7CB29BC9495DFDE01272C66F39&first=true
KR
binary
557 b
malicious
2864
1.bin.exe
GET
200
222.236.49.123:80
http://fresherlights.com/files/1/build3.exe
KR
executable
9.50 Kb
malicious
3596
build2.exe
GET
200
192.124.249.23:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
der
1.66 Kb
whitelisted
3596
build2.exe
GET
200
192.124.249.23:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
US
der
1.69 Kb
whitelisted
3596
build2.exe
GET
200
168.119.167.188:80
http://168.119.167.188/517
DE
text
233 b
malicious
3596
build2.exe
GET
200
192.124.249.23:80
http://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCQCxJlJbiuuimg%3D%3D
US
der
1.74 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
404
1.bin.exe
162.0.217.254:443
api.2ip.ua
NAMECHEAP-NET
NL
suspicious
404
1.bin.exe
8.241.89.254:80
ctldl.windowsupdate.com
LEVEL3
US
suspicious
2864
1.bin.exe
162.0.217.254:443
api.2ip.ua
NAMECHEAP-NET
NL
suspicious
404
1.bin.exe
104.18.32.68:80
ocsp.comodoca.com
CLOUDFLARENET
suspicious
2864
1.bin.exe
190.140.74.43:80
uaery.top
Cable Onda
PA
malicious
1640
1.bin.exe
162.0.217.254:443
api.2ip.ua
NAMECHEAP-NET
NL
suspicious
2864
1.bin.exe
222.236.49.123:80
uaery.top
SK Broadband Co Ltd
KR
malicious
3596
build2.exe
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
malicious
3596
build2.exe
192.124.249.23:80
ocsp.godaddy.com
SUCURI-SEC
US
suspicious
3596
build2.exe
168.119.167.188:80
Hetzner Online GmbH
DE
malicious

DNS requests

Domain
IP
Reputation
api.2ip.ua
  • 162.0.217.254
shared
ctldl.windowsupdate.com
  • 8.241.89.254
  • 8.241.121.254
  • 8.241.9.126
  • 8.238.29.254
  • 8.238.28.126
whitelisted
ocsp.comodoca.com
  • 104.18.32.68
  • 172.64.155.188
whitelisted
ocsp.usertrust.com
  • 104.18.32.68
  • 172.64.155.188
whitelisted
uaery.top
  • 190.140.74.43
  • 200.46.66.71
  • 181.94.48.228
  • 190.117.75.91
  • 175.120.254.9
  • 211.119.84.112
  • 211.40.39.251
  • 222.236.49.123
  • 58.235.189.192
  • 37.234.251.221
malicious
fresherlights.com
  • 222.236.49.123
  • 175.119.10.231
  • 123.140.161.243
  • 123.213.233.194
  • 186.182.55.44
  • 190.117.75.91
  • 211.40.39.251
  • 190.219.54.242
  • 190.147.188.50
  • 189.156.139.211
malicious
t.me
  • 149.154.167.99
whitelisted
ocsp.godaddy.com
  • 192.124.249.23
  • 192.124.249.24
  • 192.124.249.22
  • 192.124.249.36
  • 192.124.249.41
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
404
1.bin.exe
Potentially Bad Traffic
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
2864
1.bin.exe
Potentially Bad Traffic
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2864
1.bin.exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
2864
1.bin.exe
A Network Trojan was detected
ET TROJAN Potential Dridex.Maldoc Minimal Executable Request
2864
1.bin.exe
A Network Trojan was detected
ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
2864
1.bin.exe
A Network Trojan was detected
ET TROJAN Win32/Vodkagats Loader Requesting Payload
2864
1.bin.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
2864
1.bin.exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
3 ETPRO signatures available at the full report
Process
Message
mmc.exe
Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn