Neconfirmat 977073.crdownload Stealer Vidar Analysis
Technical Analysis
| File Name | Neconfirmat 977073.crdownload |
| File Type |
PE32+ executable (GUI) x86-64, for MS Windows
|
| Scanner Version | 1.0.172.174 |
| Database Version | 2024-04-20 02:00:25 UTC |
Spy.Win64.Vidar.tr
Malware family: Vidar
Scan Another File
File Identification
| Hash Type | Value | Action |
|---|---|---|
| MD5 |
1a1c728fc6d1eb46d64dff3858488b42
|
|
| SHA1 |
008194eb6a429096a745d205cc6eff2d05d709cf
|
|
| SHA256 |
3c67ddeb2426bfd91144dd8ca4ec06ee20578105514ad629c830e194bfd65893
|
|
| SHA512 |
b9e0095010c8e53bc7b8bc7e2b97e10da7a0cd4443758a44d82c7ffd7cc1e49b575fe3a5be832c02ac67d194ec45f97614c944ed731c819225088ca4230a4857
|
|
| ImpHash |
5842498648e6235b14c52019b9eb5c2b
|
PE Analysis
Basic Information
▼| Icon |
Hash: 879c398be168801c7b1be4dcec09fdea
Fuzzy: bf8b8a189605e51fbb680609ba2b00fd dHash: f8c4d4c8c8c4c0c1 |
| Image Base | 0x140000000 |
| Entry Point | 0x14028d8b4 |
| Compilation Time | 2023-02-03 19:53:27 |
| Checksum | 0x00457869 (Actual: 0x00457869) |
| OS Version | 6.0 |
| PEiD Signatures |
PE32+ executable (GUI) x86-64, for MS Windows
|
| PDB Path | D:\Rizonesoft\Develop\Notepad3\Bin\Release_x64_v143\Notepad3.pdb |
| Digital Signature | The expected hash does not match the digest in SpcInfo |
| Imports | 12 libraries |
| Exports | 14 functions |
| Resources | 130 Resources |
| Sections | 7 Sections |
Version Information
▼| Comments | Notepad3 |
| FileDescription | Notepad3 |
| InternalName | Notepad3 |
| ProductName | Notepad3 |
| CompanyName | © Rizonesoft |
| FileVersion | 6.23.203.2 |
| ProductVersion | 6.23.203.2 |
| LegalCopyright | Copyright © 2008-2023 Rizonesoft |
| OriginalFilename | Notepad3.exe |
| Translation | 0x0409 0x04b0 |
PE Sections
▼| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Characteristics | MD5 |
|---|---|---|---|---|---|---|
.text |
0x00001000 |
3,030,998 bytes | 3,031,040 bytes | 6.56 (Compressed) |
IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ
|
9B7BFC7FDACBBB819AF50C21A53278FD |
.data |
0x002e5000 |
669,568 bytes | 582,656 bytes | 1.22 (Normal) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE
|
84130D4C56E1F27461F11BC25665720A |
.pdata |
0x00389000 |
76,428 bytes | 76,800 bytes | 6.22 (Normal) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ
|
B3D674AFA034B2EC84A16CF6A3EEC2C2 |
.idata |
0x0039c000 |
18,836 bytes | 18,944 bytes | 4.87 (Normal) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ
|
F6E70D2D992F45650F9AA25FA553F89D |
_RDATA |
0x003a1000 |
348 bytes | 512 bytes | 5.19 (Normal) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ
|
D7C278B64106389B67723546CD60DA12 |
.rsrc |
0x003a2000 |
799,608 bytes | 799,744 bytes | 5.05 (Normal) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ
|
D9E9B25262A2FE4C0E334D43BD16031C |
.reloc |
0x00466000 |
17,528 bytes | 17,920 bytes | 5.42 (Normal) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ
|
6B57BA00900B00F28A489179AFF455EF |
Entropy Analysis Alert
1 section(s) with elevated entropy (≥6.5) - possible compression
Resource Analysis
▼| Resource Type | Count | Total Size | Percentage |
|---|---|---|---|
| RT_CURSOR | 1 | 308 bytes | |
| RT_BITMAP | 12 | 418,208 bytes | |
| RT_ICON | 13 | 255,089 bytes | |
| RT_MENU | 2 | 16,918 bytes | |
| RT_DIALOG | 39 | 27,326 bytes | |
| RT_STRING | 53 | 49,254 bytes | |
| RT_ACCELERATOR | 3 | 1,736 bytes | |
| RT_RCDATA | 1 | 20,279 bytes | |
| RT_GROUP_CURSOR | 1 | 20 bytes | |
| RT_GROUP_ICON | 3 | 200 bytes | |
| RT_VERSION | 1 | 776 bytes | |
| RT_MANIFEST | 1 | 2,670 bytes |
Certificate Chain Analysis
▼No Digital Signatures
This file is not digitally signed.
Security Implications:
- Cannot verify the publisher's identity
- Increased security risk when running this file
- May trigger security warnings on some systems
⚠ This file either lacks a digital signature or the certificate chain could not be verified
Exercise caution when executing unsigned files from unknown sources
Certificate Verification Status
The expected hash does not match the digest in SpcInfo
Recommendation: Verify the file source and ensure it comes from a trusted publisher.
Spy.Win64.Vidar.tr Removal
Gridinsoft has the capability to identify and eliminate Spy.Win64.Vidar.tr without requiring further user intervention.
Download Anti-MalwareRemoval Instructions
Follow these steps to completely remove the threat from your system
-
1
Get Gridinsoft Anti-Malware — it's a quick 2 MB download that won't slow down your PC.
-
2
Run the installer gsam-en-install.exe. The setup takes about 2 minutes and doesn't require a restart.
-
3
The app launches right after installation. You'll see the main dashboard with the scan button front and center.
-
4
Hit "Standard Scan" — this checks all the spots where malware typically hides: temp folders, browser data, startup programs, and system directories.
-
5
Once the scan finds this threat, click "Clean Now". The removal usually happens instantly, though some stubborn infections may need a reboot.
-
6
If you see a restart prompt, go ahead and reboot. This clears any malware that was running in memory and ensures your system starts fresh.
Leave a Comment
Gridinsoft Anti-Malware
Stay Malware-Free: Keep Your PC Protected with Gridinsoft Anti-Malware
Gridinsoft Anti-Malware offers just that—peace of mind with a robust, user-friendly solution that’s constantly updated to combat the latest threats. Designed by cybersecurity experts, it provides real-time protection and effortless malware removal. It’s not just about detecting threats; it's about enhancing your digital life with uninterrupted security. Give it a try and experience what it feels like to browse worry-free!
