Managed XDR

raid-kostada2-outputs_...13533d1cab036ce66a6.oa (Vidar) — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла: raid-kostada2-outputs_reduced_dataset-mab_1772715072-minimal-bazaar.2023.04__heur-exploit.win32.shellcode_shellcode.gen-1a945013489a88af369312fbce20f6701fb0df180e29113533d1cab036ce66a6.oa
Тип файла: PE32 executable (GUI) Intel 80386, for MS Windows
Размер файла: 697.5 KB
Первое обнаружение: 2026-03-05 18:53
Последнее обнаружение: 2026-03-05 18:53

Окружение

w10/x64 en

Хеши

SHA1: 441129063764ddad348f57c2dcd7d92e002a2b0a
SHA256: 24bbeb91bd94ae94e4e6b833b20d19dc2ce065487e19ceced101800855d15549
MD5: 0ead4570bb2930894bb067f608b82d6f

Вредоносное ПО

Vidar

Сигнатуры

Resource Development

T1585.001 social_telegram: Connects to Telegram (potentially for information gathering)

T1586.001 social_telegram: Connects to Telegram (potentially for information gathering)

Execution

T1059.007 bad_js: Suspicious Javascript file

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027.002 packer_entropy: Probably contains compressed or encrypted data

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

T1497.001 antivm_queries_computername: Retrieves the computer name

T1497.002 antivm_usbstor: Reads information about usbdevices from regkey

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

T1497.001 antivm_queries_computername: Retrieves the computer name

T1497.002 antivm_usbstor: Reads information about usbdevices from regkey

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

Command and Control

T1071.001 network_http: Performs HTTP requests

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Other

yara_rules: Static rules

suricata_alert: Malicious traffic detected

multiple_useragents: Uses more than one unique User-Agent

has_pdb: This executable file has a PDB path

suspicious_network_port: Performs TCP or UDP request to non-standard port

test_check_service: Starts services

pe_overlay: PE file contains overlay

js_suspicious: Suspicious javascript