Windows Analysis Report
LisectAVT_2403002A_138.exe

Overview

General Information

Sample name: LisectAVT_2403002A_138.exe
Analysis ID: 1482505
MD5: fec47a3ee92a38794a904285cb01529b
SHA1: b9d5ca658c03e1e4fa124e5459130db55e818eba
SHA256: 5ec4bb89bf846e2e9305f280673aeb564b13039b72bf8cf9a1b5294ed4aa7bc8
Tags: ArkeiStealerexe
Infos:

Detection

Vidar
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (creates a PE file in dynamic memory)
Malicious sample detected (through community Yara rule)
Yara detected Vidar stealer
AI detected suspicious sample
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: LisectAVT_2403002A_138.exe Avira: detected
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: LisectAVT_2403002A_138.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_0041600C CryptUnprotectData,LocalAlloc,_memmove,LocalFree, 10_2_0041600C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_0041624B _malloc,_memmove,_malloc,CryptUnprotectData,_memmove, 10_2_0041624B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_00415FB3 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 10_2_00415FB3

Compliance
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Unpacked PE file: 0.2.LisectAVT_2403002A_138.exe.3040000.1.unpack
Uses 32bit PE files
Source: LisectAVT_2403002A_138.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.28.78.238:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: LisectAVT_2403002A_138.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030EBA2A FindFirstFileExW,FindNextFileW,FindClose, 0_2_030EBA2A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030EB976 _free,_free,FindFirstFileExW, 0_2_030EB976
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_004074D6 __EH_prolog3_GS,_memset,_memset,_memset,_memset,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,PathMatchSpecW,DeleteFileW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcatW,FindNextFileW,FindClose,_memset,_memset,_memset,_memset,_memset,_memset,_memset,_memset,FindClose, 10_2_004074D6
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_00417856 _sprintf,FindFirstFileA,_sprintf,_memset,_sprintf,GetFileAttributesA,FindNextFileA,FindClose, 10_2_00417856
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_00407D0D __EH_prolog3_GS,_sprintf,FindFirstFileA,_sprintf,CopyFileA,FindNextFileA,FindClose, 10_2_00407D0D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_0040F3D6 _strtok,_strtok,__wgetenv,__wgetenv,GetLogicalDriveStringsA,_strtok,GetDriveTypeA,_strtok, 10_2_0040F3D6
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 4x nop then mov eax, dword ptr fs:[00000030h] 10_2_00401000
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 4x nop then mov dword ptr [ebp-04h], eax 10_2_00401000
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /hi20220412 HTTP/1.1Host: t.me
Source: global traffic HTTP traffic detected: GET /@samal6 HTTP/1.1Host: noc.social
Source: global traffic HTTP traffic detected: GET /hi20220412 HTTP/1.1Host: t.meCookie: stel_ssid=acd77626c02b155c6d_14393434764031872645
Source: global traffic HTTP traffic detected: GET /@samal6 HTTP/1.1Host: noc.socialCookie: _mastodon_session=Qw9lJgCboiJD0%2F4%2BxCsP5G1hmJ17zNJU%2BEH7UaO0nSkWqV%2FG0pT%2BGz1pz%2Fy%2Fq%2F5pMPiAaFMnF7G58wt5rs%2Fnm%2Bpt%2FjwUstdfT1d7dVdA9YqBys4at5USOqOymXdXQB2mSR%2BJlot5wzs36BbHiNCS7ul%2B2mCL1SEmrhCTfExt7nSpOHcJtbmwozWalTJkQXPaYyRVyXASltft6%2FnqCPP6nLBw7Ai1IrMBq%2B00rBY%3D--AfxNH5XsTJwnLEC9--TeFYvmJjfvrHNxeyk9%2FUdQ%3D%3D
Source: global traffic HTTP traffic detected: GET /hi20220412 HTTP/1.1Host: t.meCookie: stel_ssid=acd77626c02b155c6d_14393434764031872645
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.28.78.238 149.28.78.238
Source: Joe Sandbox View IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View IP Address: 149.154.167.99 149.154.167.99
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_00410235 __EH_prolog3,DeleteUrlCacheEntry,DeleteUrlCacheEntry,InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 10_2_00410235
Source: global traffic HTTP traffic detected: GET /hi20220412 HTTP/1.1Host: t.me
Source: global traffic HTTP traffic detected: GET /@samal6 HTTP/1.1Host: noc.social
Source: global traffic HTTP traffic detected: GET /hi20220412 HTTP/1.1Host: t.meCookie: stel_ssid=acd77626c02b155c6d_14393434764031872645
Source: global traffic HTTP traffic detected: GET /@samal6 HTTP/1.1Host: noc.socialCookie: _mastodon_session=Qw9lJgCboiJD0%2F4%2BxCsP5G1hmJ17zNJU%2BEH7UaO0nSkWqV%2FG0pT%2BGz1pz%2Fy%2Fq%2F5pMPiAaFMnF7G58wt5rs%2Fnm%2Bpt%2FjwUstdfT1d7dVdA9YqBys4at5USOqOymXdXQB2mSR%2BJlot5wzs36BbHiNCS7ul%2B2mCL1SEmrhCTfExt7nSpOHcJtbmwozWalTJkQXPaYyRVyXASltft6%2FnqCPP6nLBw7Ai1IrMBq%2B00rBY%3D--AfxNH5XsTJwnLEC9--TeFYvmJjfvrHNxeyk9%2FUdQ%3D%3D
Source: global traffic HTTP traffic detected: GET /hi20220412 HTTP/1.1Host: t.meCookie: stel_ssid=acd77626c02b155c6d_14393434764031872645
Source: global traffic DNS traffic detected: DNS query: t.me
Source: global traffic DNS traffic detected: DNS query: noc.social
Source: LisectAVT_2403002A_138.exe String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: LisectAVT_2403002A_138.exe String found in binary or memory: http://s.symcd.com06
Source: LisectAVT_2403002A_138.exe String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: LisectAVT_2403002A_138.exe String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: LisectAVT_2403002A_138.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: LisectAVT_2403002A_138.exe String found in binary or memory: https://d.symcb.com/cps0%
Source: LisectAVT_2403002A_138.exe String found in binary or memory: https://d.symcb.com/rpa0
Source: LisectAVT_2403002A_138.exe String found in binary or memory: https://d.symcb.com/rpa0.
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://noc.social
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://noc.social/
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://noc.social/5
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.000000000142F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://noc.social/eQ
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://noc.social;
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.000000000142F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://noc.social~
Source: LisectAVT_2403002A_138.exe, 00000000.00000002.1911139518.000000000FF50000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 00000000.00000003.1831985576.0000000011930000.00000040.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/LI
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.000000000142F000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000003.2137596982.0000000001435000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000002.2641641619.00000000012F9000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000003.2176119973.0000000001480000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.0000000001420000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000002.2643040123.0000000002FD0000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/hi20220412
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/hi20220412A
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/hi20220412i/
Source: LisectAVT_2403002A_138.exe, 0000000A.00000003.2137596982.0000000001435000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/hi20220412j
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2643040123.0000000002FD0000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.000000000147C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://telegram.org/img/t_logo.png
Source: LisectAVT_2403002A_138.exe, 0000000A.00000003.2137482736.0000000001435000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000002.2643040123.0000000002FD0000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.000000000147C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web.telegram.org
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.28.78.238:443 -> 192.168.2.8:49709 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.unpack, type: UNPACKEDPE Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 10.2.LisectAVT_2403002A_138.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 10.2.LisectAVT_2403002A_138.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 10.2.LisectAVT_2403002A_138.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.unpack, type: UNPACKEDPE Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 10.2.LisectAVT_2403002A_138.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 10.2.LisectAVT_2403002A_138.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 10.2.LisectAVT_2403002A_138.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 00000000.00000003.1904476430.0000000011B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 00000000.00000003.1904476430.0000000011B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000000.00000003.1904476430.0000000011B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 00000000.00000003.1904629214.0000000011930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 00000000.00000003.1904629214.0000000011930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000000.00000003.1904629214.0000000011930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: Process Memory Space: LisectAVT_2403002A_138.exe PID: 7640, type: MEMORYSTR Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: Process Memory Space: LisectAVT_2403002A_138.exe PID: 6128, type: MEMORYSTR Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_0055A738 0_2_0055A738
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_0055B0D4 0_2_0055B0D4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_0055B096 0_2_0055B096
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030A4310 0_2_030A4310
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030D8310 0_2_030D8310
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030D4330 0_2_030D4330
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030DF3B0 0_2_030DF3B0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030E23C0 0_2_030E23C0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030DB3F0 0_2_030DB3F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030E33F0 0_2_030E33F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030E4200 0_2_030E4200
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030F023C 0_2_030F023C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030E0250 0_2_030E0250
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030DC260 0_2_030DC260
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030D9140 0_2_030D9140
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030D51A0 0_2_030D51A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030D8000 0_2_030D8000
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030E1000 0_2_030E1000
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030E5080 0_2_030E5080
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030C2090 0_2_030C2090
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030DD0A0 0_2_030DD0A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_0309E0B0 0_2_0309E0B0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030D4760 0_2_030D4760
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030E1770 0_2_030E1770
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030E5780 0_2_030E5780
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030DC790 0_2_030DC790
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030DD7C0 0_2_030DD7C0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030CE670 0_2_030CE670
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030D66C0 0_2_030D66C0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030D6500 0_2_030D6500
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030E2580 0_2_030E2580
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030DA5F0 0_2_030DA5F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030DE5F0 0_2_030DE5F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030CD410 0_2_030CD410
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_0308D4E0 0_2_0308D4E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030D74F0 0_2_030D74F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030E3B00 0_2_030E3B00
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030DFB30 0_2_030DFB30
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030DEB40 0_2_030DEB40
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030DBB50 0_2_030DBB50
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_0308CB90 0_2_0308CB90
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030D7BC0 0_2_030D7BC0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030C1BE0 0_2_030C1BE0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030D8A20 0_2_030D8A20
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030D4A80 0_2_030D4A80
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030E4910 0_2_030E4910
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030DC940 0_2_030DC940
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030DF970 0_2_030DF970
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030DB990 0_2_030DB990
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030DE9D0 0_2_030DE9D0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030D9800 0_2_030D9800
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030D5830 0_2_030D5830
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030D8860 0_2_030D8860
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030D48D0 0_2_030D48D0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030E08E0 0_2_030E08E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030D5F70 0_2_030D5F70
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030D8F80 0_2_030D8F80
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030D4FE0 0_2_030D4FE0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030D6E10 0_2_030D6E10
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030CEE40 0_2_030CEE40
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030E1E60 0_2_030E1E60
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_0308CEC0 0_2_0308CEC0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030CDEC0 0_2_030CDEC0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030D9EC0 0_2_030D9EC0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030DDEE0 0_2_030DDEE0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030E5EE0 0_2_030E5EE0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030E5D20 0_2_030E5D20
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030E2CC0 0_2_030E2CC0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030DACE0 0_2_030DACE0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_0308DCF0 0_2_0308DCF0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_013A029B 0_2_013A029B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_004560FA 10_2_004560FA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_0042E147 10_2_0042E147
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_00405207 10_2_00405207
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_0046B2D8 10_2_0046B2D8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_004872D6 10_2_004872D6
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_0040F3D6 10_2_0040F3D6
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_0047F402 10_2_0047F402
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_0041F41C 10_2_0041F41C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_00485420 10_2_00485420
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_00406439 10_2_00406439
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_00420438 10_2_00420438
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_004044EB 10_2_004044EB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_004494F9 10_2_004494F9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_0046D49B 10_2_0046D49B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_0048659E 10_2_0048659E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_004576C2 10_2_004576C2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_0044D6CE 10_2_0044D6CE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_004707B0 10_2_004707B0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_00485971 10_2_00485971
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_0043D9FF 10_2_0043D9FF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_00459AAF 10_2_00459AAF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_00403CEB 10_2_00403CEB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_0046DE6E 10_2_0046DE6E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_00485EC2 10_2_00485EC2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_00404E86 10_2_00404E86
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_00440F42 10_2_00440F42
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_00432F3F 10_2_00432F3F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_0041DFEB 10_2_0041DFEB
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: String function: 00402D44 appears 33 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: String function: 00475ED0 appears 50 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: String function: 0041FA3E appears 103 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: String function: 0041EFA2 appears 41 times
Sample file is different than original file name gathered from version info
Source: LisectAVT_2403002A_138.exe Binary or memory string: OriginalFilename vs LisectAVT_2403002A_138.exe
Source: LisectAVT_2403002A_138.exe, 00000000.00000000.1389211867.0000000000707000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameVtradsxvhxy.exe< vs LisectAVT_2403002A_138.exe
Source: LisectAVT_2403002A_138.exe Binary or memory string: OriginalFilename vs LisectAVT_2403002A_138.exe
Source: LisectAVT_2403002A_138.exe, 00000009.00000002.1873693039.0000000000707000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameVtradsxvhxy.exe< vs LisectAVT_2403002A_138.exe
Source: LisectAVT_2403002A_138.exe, 0000000A.00000000.1903816265.0000000000707000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameVtradsxvhxy.exe< vs LisectAVT_2403002A_138.exe
Source: LisectAVT_2403002A_138.exe Binary or memory string: OriginalFilenameVtradsxvhxy.exe< vs LisectAVT_2403002A_138.exe
Uses 32bit PE files
Source: LisectAVT_2403002A_138.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 10.2.LisectAVT_2403002A_138.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 10.2.LisectAVT_2403002A_138.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 10.2.LisectAVT_2403002A_138.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 10.2.LisectAVT_2403002A_138.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 10.2.LisectAVT_2403002A_138.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 10.2.LisectAVT_2403002A_138.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 00000000.00000003.1904476430.0000000011B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 00000000.00000003.1904476430.0000000011B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000000.00000003.1904476430.0000000011B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 00000000.00000003.1904629214.0000000011930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 00000000.00000003.1904629214.0000000011930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000000.00000003.1904629214.0000000011930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: Process Memory Space: LisectAVT_2403002A_138.exe PID: 7640, type: MEMORYSTR Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: Process Memory Space: LisectAVT_2403002A_138.exe PID: 6128, type: MEMORYSTR Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: LisectAVT_2403002A_138.exe Static PE information: Section: ymZHo ZLIB complexity 0.99568714198036
Source: classification engine Classification label: mal92.troj.spyw.evad.winEXE@6/0@2/2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_00417AF9 _malloc,CreateToolhelp32Snapshot,CloseHandle,Process32First,Process32Next,CloseHandle, 10_2_00417AF9
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Mutant created: \Sessions\1\BaseNamedObjects\9e146be9-c76a-4720-bcdb-8c18-806e6f6e6963user4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: LisectAVT_2403002A_138.exe, LisectAVT_2403002A_138.exe, 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: LisectAVT_2403002A_138.exe, LisectAVT_2403002A_138.exe, 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: LisectAVT_2403002A_138.exe, LisectAVT_2403002A_138.exe, 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: LisectAVT_2403002A_138.exe, LisectAVT_2403002A_138.exe, 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: LisectAVT_2403002A_138.exe, LisectAVT_2403002A_138.exe, 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: LisectAVT_2403002A_138.exe, 00000000.00000003.1904476430.0000000011B40000.00000040.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 00000000.00000003.1904629214.0000000011930000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: LisectAVT_2403002A_138.exe, LisectAVT_2403002A_138.exe, 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: unknown Process created: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe "C:\Users\user\Desktop\LisectAVT_2403002A_138.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Process created: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe "C:\Users\user\Desktop\LisectAVT_2403002A_138.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Process created: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe "C:\Users\user\Desktop\LisectAVT_2403002A_138.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Process created: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe "C:\Users\user\Desktop\LisectAVT_2403002A_138.exe" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Process created: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe "C:\Users\user\Desktop\LisectAVT_2403002A_138.exe" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: LisectAVT_2403002A_138.exe Static file information: File size 2190481 > 1048576
Source: LisectAVT_2403002A_138.exe Static PE information: Raw size of ymZHo is bigger than: 0x100000 < 0x17de00
Source: LisectAVT_2403002A_138.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Unpacked PE file: 0.2.LisectAVT_2403002A_138.exe.3040000.1.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_0046AD94 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 10_2_0046AD94
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: viKy
PE file contains an invalid checksum
Source: LisectAVT_2403002A_138.exe Static PE information: real checksum: 0x21a6a0 should be: 0x2242e8
PE file contains sections with non-standard names
Source: LisectAVT_2403002A_138.exe Static PE information: section name: EaHF
Source: LisectAVT_2403002A_138.exe Static PE information: section name: pIuGK
Source: LisectAVT_2403002A_138.exe Static PE information: section name: ymZHo
Source: LisectAVT_2403002A_138.exe Static PE information: section name: OkG
Source: LisectAVT_2403002A_138.exe Static PE information: section name: fwu
Source: LisectAVT_2403002A_138.exe Static PE information: section name: viKy
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_0055A176 push ebp; ret 0_2_0055A1B0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_00556104 push edx; retf 0_2_0055610A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_0055A1C1 push ebp; ret 0_2_0055A1B0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_005541BF push edi; iretd 0_2_005541C0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_0055955B push 00000059h; iretd 0_2_00559570
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_00559687 push edx; iretd 0_2_0055968D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_00557941 push edx; retf 0_2_00557942
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_00559A57 push esp; ret 0_2_00559A58
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_00557F5F push FFFFFFE9h; iretd 0_2_00557F6B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_00557F2C push ebx; retf 0_2_00557F31
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_0304C303 push ds; ret 0_2_0304C305
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_0304B331 push ecx; iretd 0_2_0304B333
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_03047387 push ebx; iretd 0_2_030473CF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_0304A3C6 push FFFFFF8Bh; ret 0_2_0304A3CF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_0304322E push ebx; iretd 0_2_03043232
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_0304B249 push ecx; iretd 0_2_0304B24A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_0304C25E push edx; iretd 0_2_0304C264
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030441F4 push ebx; rep ret 0_2_03044209
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_0304A621 push ds; retf 0_2_0304A622
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_0304A446 push edi; ret 0_2_0304A459
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_03042B4C push FFFFFF8Bh; ret 0_2_03042B55
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_03043B66 push ecx; iretd 0_2_03043B68
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_03044B7B push edx; iretd 0_2_03044B81
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_03042BCC push edi; ret 0_2_03042BDF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_03043A7E push ecx; iretd 0_2_03043A7F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_0304AAA8 push ebx; iretd 0_2_0304AAAC
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_03048ABB push ebp; retf 0_2_03048ABC
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_0304B9BF push ebx; rep ret 0_2_0304B9D4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_03042DA7 push ds; retf 0_2_03042DA8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_03044C20 push ds; ret 0_2_03044C22
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 9_2_00554C55 push ss; ret 9_2_00554C5F
Source: LisectAVT_2403002A_138.exe Static PE information: section name: EaHF entropy: 7.03133579730527
Source: LisectAVT_2403002A_138.exe Static PE information: section name: viKy entropy: 7.075532543911929
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_0046AD94 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 10_2_0046AD94

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: LisectAVT_2403002A_138.exe Binary or memory string: DIR_WATCH.DLL
Source: LisectAVT_2403002A_138.exe Binary or memory string: SBIEDLL.DLL
Source: LisectAVT_2403002A_138.exe Binary or memory string: API_LOG.DLL
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: HGETPROCESSWINDOWSTATIONGETUSEROBJECTINFORMATIONWGETLASTACTIVEPOPUPGETACTIVEWINDOWMESSAGEBOXWUSER32.DLLCONOUT$AVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLLHKIAFZ5
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe API coverage: 7.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe TID: 7644 Thread sleep time: -32000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe TID: 3644 Thread sleep time: -240000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030EBA2A FindFirstFileExW,FindNextFileW,FindClose, 0_2_030EBA2A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030EB976 _free,_free,FindFirstFileExW, 0_2_030EB976
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_004074D6 __EH_prolog3_GS,_memset,_memset,_memset,_memset,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,PathMatchSpecW,DeleteFileW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcatW,FindNextFileW,FindClose,_memset,_memset,_memset,_memset,_memset,_memset,_memset,_memset,FindClose, 10_2_004074D6
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_00417856 _sprintf,FindFirstFileA,_sprintf,_memset,_sprintf,GetFileAttributesA,FindNextFileA,FindClose, 10_2_00417856
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_00407D0D __EH_prolog3_GS,_sprintf,FindFirstFileA,_sprintf,CopyFileA,FindNextFileA,FindClose, 10_2_00407D0D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_0040F3D6 _strtok,_strtok,__wgetenv,__wgetenv,GetLogicalDriveStringsA,_strtok,GetDriveTypeA,_strtok, 10_2_0040F3D6
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_0046773B GetSystemInfo, 10_2_0046773B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Thread delayed: delay time: 120000 Jump to behavior
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(5B
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.0000000001420000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWq
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.0000000001420000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: LisectAVT_2403002A_138.exe, 00000000.00000002.1910710435.000000000150E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_00571EC0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00571EC0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_0046AD94 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 10_2_0046AD94
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_005518D0 mov eax, dword ptr fs:[00000030h] 0_2_005518D0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_03042150 mov eax, dword ptr fs:[00000030h] 0_2_03042150
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_03042150 mov eax, dword ptr fs:[00000030h] 0_2_03042150
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030EABB2 mov eax, dword ptr fs:[00000030h] 0_2_030EABB2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030E792F mov eax, dword ptr fs:[00000030h] 0_2_030E792F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_03041FC0 mov eax, dword ptr fs:[00000030h] 0_2_03041FC0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_03041FC0 mov eax, dword ptr fs:[00000030h] 0_2_03041FC0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_00401000 mov eax, dword ptr fs:[00000030h] 10_2_00401000
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_00483DA9 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 10_2_00483DA9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_0056F2ED SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0056F2ED
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_00571EC0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00571EC0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030EA299 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_030EA299
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030E71CD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_030E71CD
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030E6CCC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_030E6CCC
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_0046F26F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_0046F26F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_004765CD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_004765CD

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Memory written: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Process created: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe "C:\Users\user\Desktop\LisectAVT_2403002A_138.exe" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Process created: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe "C:\Users\user\Desktop\LisectAVT_2403002A_138.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030E6EE5 cpuid 0_2_030E6EE5
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 10_2_0047F0AE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 10_2_0047F16E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 10_2_0047F1D5
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s, 10_2_0047F211
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement, 10_2_004753F5
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free, 10_2_0047E5C9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW, 10_2_0047D69F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, 10_2_0047E8B7
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 10_2_0047D96D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: GetLocaleInfoA, 10_2_004759F8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea, 10_2_00483B57
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 10_2_00483C31
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 10_2_0047ECE6
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 10_2_0047EDDB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 10_2_0047EEDD
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen, 10_2_0047EE82
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 0_2_030E6B72 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_030E6B72
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_00467DAE GetUserNameA, 10_2_00467DAE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Code function: 10_2_00479BE9 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 10_2_00479BE9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Vidar stealer
Source: Yara match File source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.LisectAVT_2403002A_138.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.LisectAVT_2403002A_138.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1904476430.0000000011B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1904629214.0000000011930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_138.exe PID: 7640, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_138.exe PID: 6128, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Electrum
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ElectronCash
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Electrum\wallets\
Source: LisectAVT_2403002A_138.exe, 00000000.00000002.1911139518.000000000FF50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: JaxxLib
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: exodus.conf.json
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Exodus\
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: info.seco
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ElectrumLTC
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: passphrase.json
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \jaxx\Local Storage\
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Ethereum\
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Exodus\
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Ethereum"
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default_wallet
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: file__0.localstorage
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: MultiDoge
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: seed.seco
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Electrum-LTC\wallets\
Yara detected Credential Stealer
Source: Yara match File source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.LisectAVT_2403002A_138.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.LisectAVT_2403002A_138.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1904476430.0000000011B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1904629214.0000000011930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_138.exe PID: 7640, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_138.exe PID: 6128, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Vidar stealer
Source: Yara match File source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.LisectAVT_2403002A_138.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.LisectAVT_2403002A_138.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1904476430.0000000011B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1904629214.0000000011930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_138.exe PID: 7640, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_138.exe PID: 6128, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1482505 Sample: LisectAVT_2403002A_138.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 92 18 t.me 2->18 20 noc.social 2->20 26 Malicious sample detected (through community Yara rule) 2->26 28 Antivirus / Scanner detection for submitted sample 2->28 30 Yara detected Vidar stealer 2->30 32 3 other signatures 2->32 7 LisectAVT_2403002A_138.exe 1 2->7         started        signatures3 process4 signatures5 34 Detected unpacking (creates a PE file in dynamic memory) 7->34 36 Found many strings related to Crypto-Wallets (likely being stolen) 7->36 38 Injects a PE file into a foreign processes 7->38 10 LisectAVT_2403002A_138.exe 12 7->10         started        14 conhost.exe 7->14         started        16 LisectAVT_2403002A_138.exe 7->16         started        process6 dnsIp7 22 t.me 149.154.167.99, 443, 49708, 49710 TELEGRAMRU United Kingdom 10->22 24 noc.social 149.28.78.238, 443, 49709, 49711 AS-CHOOPAUS United States 10->24 40 Found many strings related to Crypto-Wallets (likely being stolen) 10->40 42 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->42 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.28.78.238
 noc.social United States
20473 AS-CHOOPAUS false
149.154.167.99
 t.me United Kingdom
62041 TELEGRAMRU false

Contacted Domains

Name IP Active
t.me 149.154.167.99 true
noc.social 149.28.78.238 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://noc.social/@samal6 false
  • Avira URL Cloud: safe
 unknown
https://t.me/hi20220412 false
  • Avira URL Cloud: safe
 unknown