Extracted

• • Target

    gcapi.dll

  • Size

    385KB

  • MD5

    1ce7d5a1566c8c449d0f6772a8c27900

  • SHA1

    60854185f6338e1bfc7497fd41aa44c5c00d8f85

  • SHA256

    73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

  • SHA512

    7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

  • SSDEEP

    6144:Tv/ioKdMF+LZD/ZRj1vwWrrUFMNoz4pFGxjEB1NYAOrabN2GZvFcD7:Td+LZrNwWrrwMNoz4vG1OYZabtK7

  Score

  10^/10

  vidarzloadere0127784745c009143122ea0882115a4botnetdiscoverypersistenceransomwarestealertrojan

  • Detect Vidar Stealer

    stealer

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader

  • Renames multiple (80) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Modifies Installed Components in the registry

    persistence

  • Sets DLL path for service in the registry

    persistence

  • Sets service image path in registry

    persistence

  • Executes dropped EXE

  • Loads dropped DLL

  • Registers COM server for autorun

    persistence

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1