analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Vidar Stealer Cracked [XakFor.Net].exe

Full analysis: https://app.any.run/tasks/681f1e70-1351-473b-b057-69030477a01d
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: July 17, 2019, 15:14:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

F630F2A9806F222EEB5E4110988663C0

SHA1:

E55B96DAC83EC632B05403FD93CA41C6309979CB

SHA256:

F41A90BB9FB02BCCCCB793BD109E9E5590ED37D25A014E66C2EB90C355E6E4D6

SSDEEP:

24576:QAcq/H3gRyFdUmcQJYZHScwyzSyT5pbc+luJnKr/MHsMNojN:rcfR2d/YZHSqeyFl6Kr/MMBh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • NYKcSZGFU.exe (PID: 3180)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Vidar Stealer Cracked [XakFor.Net].exe (PID: 3732)

    • Creates files in the program directory

      • NYKcSZGFU.exe (PID: 3180)

    • Creates files in the user directory

      • NYKcSZGFU.exe (PID: 3180)

  • INFO

    • Manual execution by user

      • NYKcSZGFU.exe (PID: 3180)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (38.3)
.exe | Win32 Executable (generic) (26.2)
.exe | Win16/32 Executable Delphi generic (12)
.exe | Generic Win/DOS Executable (11.6)
.exe | DOS Executable Generic (11.6)

EXIF

EXE

AssemblyVersion: 1.0.0.0
ProductVersion: 1.0.0.0
ProductName: Vidar Stealer Cracked [XakFor.Net]
OriginalFileName: Vidar Stealer Cracked [XakFor.Net].exe
LegalTrademarks: -
LegalCopyright: Copyright © 2019
InternalName: Vidar Stealer Cracked [XakFor.Net].exe
FileVersion: 1.0.0.0
FileDescription: Vidar Stealer Cracked [XakFor.Net]
CompanyName: -
Comments: -
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x17e00a
UninitializedDataSize: -
InitializedDataSize: 1111552
CodeSize: 433152
LinkerVersion: 48
PEType: PE32
TimeStamp: 2019:03:04 12:33:22+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 04-Mar-2019 11:33:22
Comments: -
CompanyName: -
FileDescription: Vidar Stealer Cracked [XakFor.Net]
FileVersion: 1.0.0.0
InternalName: Vidar Stealer Cracked [XakFor.Net].exe
LegalCopyright: Copyright © 2019
LegalTrademarks: -
OriginalFilename: Vidar Stealer Cracked [XakFor.Net].exe
ProductName: Vidar Stealer Cracked [XakFor.Net]
ProductVersion: 1.0.0.0
Assembly Version: 1.0.0.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 04-Mar-2019 11:33:22
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
\x12~\x0c
0x00002000
0x000CD3F0
0x000CD400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99976
.text
0x000D0000
0x00069948
0x00069A00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.55791
.rsrc
0x0013A000
0x00041F28
0x00042000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.90318
.reloc
0x0017C000
0x0000000C
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.0980042
0x0017E000
0x00000010
0x00000200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
0.13873

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.00112
490
UNKNOWN
UNKNOWN
RT_MANIFEST
32512
2.16096
20
UNKNOWN
UNKNOWN
RT_GROUP_ICON

Imports

mscoree.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start vidar stealer cracked [xakfor.net].exe nykcszgfu.exe

Process information

PID
CMD
Path
Indicators
Parent process
3732"C:\Users\admin\AppData\Local\Temp\Vidar Stealer Cracked [XakFor.Net].exe" C:\Users\admin\AppData\Local\Temp\Vidar Stealer Cracked [XakFor.Net].exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Vidar Stealer Cracked [XakFor.Net]
Version:
1.0.0.0
3180"C:\Users\admin\Desktop\NYKcSZGFU.exe" C:\Users\admin\Desktop\NYKcSZGFU.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Total events
607
Read events
524
Write events
80
Delete events
3

Modification events

(PID) Process:(3732) Vidar Stealer Cracked [XakFor.Net].exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
Operation:writeName:1
Value:
56006900640061007200200053007400650061006C0065007200200043007200610063006B006500640020005B00580061006B0046006F0072002E004E00650074005D002E00650078006500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000
(PID) Process:(3732) Vidar Stealer Cracked [XakFor.Net].exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(3732) Vidar Stealer Cracked [XakFor.Net].exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
0200000001000000000000000700000006000000030000000500000004000000FFFFFFFF
(PID) Process:(3732) Vidar Stealer Cracked [XakFor.Net].exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
Operation:writeName:TV_FolderType
Value:
{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}
(PID) Process:(3732) Vidar Stealer Cracked [XakFor.Net].exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
Operation:writeName:TV_TopViewID
Value:
{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
(PID) Process:(3732) Vidar Stealer Cracked [XakFor.Net].exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
Operation:writeName:TV_TopViewVersion
Value:
0
(PID) Process:(3732) Vidar Stealer Cracked [XakFor.Net].exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3732) Vidar Stealer Cracked [XakFor.Net].exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
Operation:writeName:Mode
Value:
4
(PID) Process:(3732) Vidar Stealer Cracked [XakFor.Net].exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
Operation:writeName:LogicalViewMode
Value:
1
(PID) Process:(3732) Vidar Stealer Cracked [XakFor.Net].exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
Operation:writeName:FFlags
Value:
1092616257
Executable files
1
Suspicious files
0
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
3732Vidar Stealer Cracked [XakFor.Net].exeC:\Users\admin\AppData\Local\Temp\stub.bin
MD5:
SHA256:
3180NYKcSZGFU.exeC:\ProgramData\freebl3.dllhtml
MD5:5F9A500F3D3010FC072A8B6255A4330A
SHA256:CE420F170208398EEAF8C6796EF19E6A853B2AA3A7FDA41F04B0270F42C9FA5C
3180NYKcSZGFU.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@xakfor[1].txttext
MD5:7B6EE2A92488DC998F7E1D422DB1DCEA
SHA256:8ABD3841FD87DEC0086EA17DCD265F20C443D4D2976FFAA08A88BBE214E00284
3180NYKcSZGFU.exeC:\ProgramData\msvcp140.dllhtml
MD5:A843B4A38F171FF0C3412E8C672DF1E7
SHA256:80C18F8AF8FFD7E9B6FBD7EAFE2EBBBB834A4D137CB75FF5F4997F44E2373344
3180NYKcSZGFU.exeC:\ProgramData\vcruntime140.dllhtml
MD5:0954F3A7581C99957377B2F35531D8FC
SHA256:B6DA93AAB5C26716F76AC5E284F67DFB80B26BF4524FC26CF3F26420F6FC9BC1
3180NYKcSZGFU.exeC:\ProgramData\softokn3.dllhtml
MD5:57FBC271F347D45AA4982CAE2CA2A79C
SHA256:410B1B726AFF365686E3CBC2C5DD44549CF0DC43A55AC5E9B870EE21A3847F6C
3732Vidar Stealer Cracked [XakFor.Net].exeC:\Users\admin\Desktop\NYKcSZGFU.exeexecutable
MD5:BF2929E3197F2BCDC51F596C8AF2D347
SHA256:4601243DA1E262A8BC26D57C96F5242B7CE28E97F859D909C973C40485B592CD
3180NYKcSZGFU.exeC:\ProgramData\mozglue.dllhtml
MD5:246AC1F13D4DC8DF53AFB4DB350E729F
SHA256:B12195635902AB2167DEF1FC6ADDFDB633AA773FB94E975E75DD019A1FFDD5FB
3180NYKcSZGFU.exeC:\ProgramData\nss3.dllhtml
MD5:5970899C1FF7DC8A4D46312FFA4C8D68
SHA256:3064B9FD734DE01B9201A690A54D4DA8068A058C765B42669D757B3C302E5E93
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
8
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3180
NYKcSZGFU.exe
GET
104.28.7.23:80
http://xakfor.net/msvcp140.dll
US
malicious
3180
NYKcSZGFU.exe
GET
503
104.28.7.23:80
http://xakfor.net/freebl3.dll
US
html
13.1 Kb
malicious
3180
NYKcSZGFU.exe
GET
503
104.28.7.23:80
http://xakfor.net/nss3.dll
US
html
14.9 Kb
malicious
3180
NYKcSZGFU.exe
GET
503
104.28.7.23:80
http://xakfor.net/softokn3.dll
US
html
10.1 Kb
malicious
3180
NYKcSZGFU.exe
GET
503
104.28.7.23:80
http://xakfor.net/mozglue.dll
US
html
14.2 Kb
malicious
3180
NYKcSZGFU.exe
GET
503
104.28.7.23:80
http://xakfor.net/vcruntime140.dll
US
html
11.2 Kb
malicious
3180
NYKcSZGFU.exe
POST
503
104.28.6.23:80
http://xakfor.net/
US
html
9.77 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3180
NYKcSZGFU.exe
104.28.7.23:80
xakfor.net
Cloudflare Inc
US
shared
3180
NYKcSZGFU.exe
104.28.6.23:80
xakfor.net
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
xakfor.net
  • 104.28.6.23
  • 104.28.7.23
malicious

Threats

PID
Process
Class
Message
3180
NYKcSZGFU.exe
A Network Trojan was detected
SUSPICIOUS [PTsecurity] Possible Generic.Trojan Boundary
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Vidar Stealer Cracked [XakFor.Net].exe