popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

vi.exe

Malicious Library Antivirus UPX PE File OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us June 27, 2024, 10:06 a.m. June 27, 2024, 10:11 a.m.
Size 205.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 baa9e1a92bab85279dca0aed641f1fa9
SHA256 d649524fba7b0571351c386359e13228781700def5904eed2c2455e15b2afd66
CRC32 A5B43C78
ssdeep 6144:nuK5eoxptUTQpbQm3HACLGWyitsmrAwp63:/jptUT8bQcHZLki6mrAwpo
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Antivirus - Contains references to security software
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
ndearn.xyz
A 13.248.213.45
A 76.223.67.189
76.223.67.189
steamcommunity.com
A 104.76.78.101
104.76.78.101
IP Address Status Action
104.76.78.101 Active Moloch
164.124.101.2 Active Moloch
76.223.67.189 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49166 -> 104.76.78.101:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49161 -> 76.223.67.189:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49163 -> 76.223.67.189:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49166
104.76.78.101:443 		C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com 10:20:2b:ee:30:69:cc:b6:ac:5e:47:04:71:ca:b0:75:78:51:58:f5

Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RtlImageNtHeader+0xb6a RtlDeleteCriticalSection-0x927 ntdll+0x33cce @ 0x778d3cce
malloc+0x57 _finite-0xac msvcrt+0x9d45 @ 0x76b29d45
??2@YAPAXI@Z+0xe ??_V@YAXPAX@Z-0x1c msvcrt+0xb0d7 @ 0x76b2b0d7
vi+0x43a7 @ 0x8f43a7
vi+0x59aa @ 0x8f59aa
vi+0x13abb @ 0x903abb
vi+0x14888 @ 0x904888
vi+0x17c6d @ 0x907c6d
vi+0x18439 @ 0x908439
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 12 8b 7f 04 3b d7 0f 85 b0 26 04 00 3b d1 0f
exception.symbol: RtlImageNtHeader+0x92f RtlDeleteCriticalSection-0xb62 ntdll+0x33a93
exception.instruction: mov edx, dword ptr [edx]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 211603
exception.address: 0x778d3a93
registers.esp: 51811848
registers.edi: 1634235183
registers.eax: 4128768
registers.ebp: 51812056
registers.edx: 795108722
registers.ebx: 12141
registers.esi: 4175904
registers.ecx: 4175912
1 0 0
suspicious_features GET method with no useragent header suspicious_request GET https://steamcommunity.com/profiles/76561199662282318
request GET https://steamcommunity.com/profiles/76561199662282318
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob
process vi.exe useragent Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/8.0.500.0 Safari/534.6
process vi.exe useragent
process vi.exe useragent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 OPR/108.0.0.0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Vidar.i!c
Elastic Windows.Generic.Threat
Cynet Malicious (score: 99)
Skyhigh Artemis!Trojan
ALYac Trojan.PSW.Vidar
Cylance Unsafe
VIPRE Gen:Variant.Zusy.536758
Alibaba Trojan:Win32/StealC.18308105
Cybereason malicious.92bab8
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Vidar.A
APEX Malicious
McAfee Artemis!BAA9E1A92BAB
Paloalto generic.ml
ClamAV Win.Malware.Trojanx-10020177-0
Kaspersky Trojan-PSW.Win32.Stealerc.lfc
BitDefender Gen:Variant.Zusy.536758
MicroWorld-eScan Gen:Variant.Zusy.536758
Rising Stealer.Agent!8.C2 (TFE:2:DQwxTsXk3kJ)
Emsisoft Gen:Variant.Zusy.536758 (B)
F-Secure Trojan.TR/AVI.vidar.vkkfn
DrWeb Trojan.PWS.Steam.37379
TrendMicro TrojanSpy.Win32.VIDAR.YXEFZZ
McAfeeD Real Protect-LS!BAA9E1A92BAB
Trapmine malicious.high.ml.score
FireEye Generic.mg.baa9e1a92bab8527
Sophos Troj/Stealc-AAB
Ikarus Trojan.Win32.Vidar
Webroot W32.ConvaGent
Google Detected
Avira TR/AVI.vidar.vkkfn
MAX malware (ai score=86)
Antiy-AVL Trojan[PSW]/Win32.StealerC
Kingsoft Win32.Trojan-PSW.Stealerc.lfc
Gridinsoft Spy.Win32.Vidar.tr
Arcabit Trojan.Zusy.D830B6
ViRobot Trojan.Win.Z.Zusy.210432
ZoneAlarm Trojan-PSW.Win32.Stealerc.lfc
GData Gen:Variant.Zusy.536758
Varist W32/ABTrojan.GFVJ-3509
AhnLab-V3 Trojan/Win.Generic.R651657
BitDefenderTheta AI:Packer.3A35A2FB1F
DeepInstinct MALICIOUS
VBA32 BScope.TrojanPSW.Mars
Malwarebytes Malware.AI.111572029
TrendMicro-HouseCall TrojanSpy.Win32.VIDAR.YXEFZZ
SentinelOne Static AI - Suspicious PE
Fortinet W32/Vidar.A!tr
Panda Trj/GdSda.A