Trojan.Vidar.FB
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Vidar.FB |
|---|---|
| Packers: | UPX x64 |
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
e616f1c3d6c1833cb3781c03a0c2e094
SHA1:
2d99de4c5315e877b8c1b65e9c4ac72bdf16fa7b
SHA256:
A059DC1F3EBB41582310F7C841A4C8F7442A5C0205C3C79E2C0EE559C8815509
File Size:
291.84 KB, 291840 bytes
|
|
MD5:
f73fd79fbb5dabba09e133c13f6fa823
SHA1:
844108d1d962fa8cc938b1ef657e2aa15c84c515
SHA256:
A4ABD142E6668050CC20B1D4DD095667DCCCCBC8C2674822AF682725A7441C20
File Size:
636.93 KB, 636928 bytes
|
|
MD5:
247048abd55317eea4125fd005603ec5
SHA1:
265481319d7cb5fd47fcd98161fba6340838d389
SHA256:
FA245A155A129614E23B9DC92334FB78E2FF7896DD649CF490304DEE0D2565A5
File Size:
645.12 KB, 645120 bytes
|
|
MD5:
db2e9d33e74538bfcdb40a8f790ba977
SHA1:
82a8b40e89107ce11f3297588516328bc3e37184
SHA256:
D56EB6E52852E83C57930CFFE5CF812522ECB3FC24F137D29634783B6A47CF95
File Size:
278.53 KB, 278528 bytes
|
|
MD5:
af1285c0f9d5fe640a6dd65e5b4ad30d
SHA1:
1fbeb8211519325e58355fe0420e1946ebcdf748
SHA256:
106FFEC87882F140FB281377D91EAB714C0322C4D44792185FC66B5680703CA7
File Size:
278.53 KB, 278528 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File has been packed
- File is 64-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
Show More
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Traits
- CryptUnprotectData
- HighEntropy
- No CryptProtectData
- No Version Info
- packed
- VirtualQueryEx
- WriteProcessMemory
- x64
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 135 |
|---|---|
| Potentially Malicious Blocks: | 10 |
| Whitelisted Blocks: | 2 |
| Unknown Blocks: | 123 |
Visual Map
?
x
?
?
?
?
?
?
?
?
?
?
?
0
0
?
x
x
?
?
?
?
?
x
?
?
?
?
?
?
x
x
x
?
?
?
?
x
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
x
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
x
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Vidar.FB
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
|
