Edit tour
Windows
Analysis Report
i1myxYUbbP.exe
Overview
General Information
| Sample name: | i1myxYUbbP.exe (renamed file extension from none to exe, renamed because original name is a hash value) |
| Original sample name: | ad2ccaab29318002cd1b01b97eb4af02 |
| Analysis ID: | 1654169 |
| MD5: | ad2ccaab29318002cd1b01b97eb4af02 |
| SHA1: | 44eebe4c043cdd3393038576ddbdd59a26d9c03d |
| SHA256: | bb1c808ad6d989df052a90e9a09d4e299c60c1a503310ed36e0281c97c37abed |
| Infos: |   |
 | |
Detection
Vidar
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Yara detected Powershell download and execute
Yara detected Vidar stealer
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Copy From or To System Directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Classification
- System is w10x64
i1myxYUbbP.exe (PID: 7652 cmdline: "C:\Users\ user\Deskt op\i1myxYU bbP.exe" MD5: AD2CCAAB29318002CD1B01B97EB4AF02) 
cmd.exe (PID: 7696 cmdline: "C:\Window s\System32 \cmd.exe" /c copy Pe tition Pet ition.cmd & Petition .cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7712 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
tasklist.exe (PID: 7880 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 7892 cmdline:
findstr /I "opssvc w rsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - tasklist.exe (PID: 7932 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 7940 cmdline:
findstr "A vastUI AVG UI bdservi cehost nsW scSvc ekrn SophosHea lth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 7988 cmdline:
cmd /c md 783469 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - extrac32.exe (PID: 8000 cmdline:
extrac32 / Y /E Virtu e MD5: 9472AAB6390E4F1431BAA912FCFF9707) - findstr.exe (PID: 8016 cmdline:
findstr /V "valuable " Essentia ls MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 8028 cmdline:
cmd /c cop y /b 78346 9\Conserva tion.com + Sonic + M ails + Woo l + Requir ed + Ge + Lenders + Nearly + W ires + Nut + Peacefu l 783469\C onservatio n.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cmd.exe (PID: 8044 cmdline:
cmd /c cop y /b ..\Ec ological + ..\Hour + ..\Centre s + ..\Cha irman R MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
Conservation.com (PID: 8060 cmdline: Conservati on.com R MD5: 62D09F076E6E0240548C2F837536A46A) - choice.exe (PID: 8076 cmdline:
choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Vidar | Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. | No Attribution |
{
"C2 url": "https://steamcommunity.com/profiles/76561199819539662",
"Botnet": "go2dniz"
}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
| JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
| JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
| JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
| JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
| Click to see the 5 entries | ||||
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): | ||
HIPS / PFW / Operating System Protection Evasion |   |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-04-02T02:40:01.729750+0200 | 2028765 | 3 | Unknown Traffic | 192.168.2.4 | 49736 | 95.217.240.67 | 443 | TCP |
| 2025-04-02T02:40:56.106255+0200 | 2028765 | 3 | Unknown Traffic | 192.168.2.4 | 49725 | 95.217.240.67 | 443 | TCP |
| 2025-04-02T02:41:29.870575+0200 | 2028765 | 3 | Unknown Traffic | 192.168.2.4 | 49728 | 95.217.240.67 | 443 | TCP |
| 2025-04-02T02:42:03.448980+0200 | 2028765 | 3 | Unknown Traffic | 192.168.2.4 | 49732 | 95.217.240.67 | 443 | TCP |
- • AV Detection
- • Compliance
- • Spreading
- • Networking
- • System Summary
- • Data Obfuscation
- • Persistence and Installation Behavior
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Stealing of Sensitive Information
- • Remote Access Functionality
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||