MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cff8404e73906f3a4932e145bf57fae7a0e66a7d7952416161a5d9bb9752fd8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0cff8404e73906f3a4932e145bf57fae7a0e66a7d7952416161a5d9bb9752fd8
SHA3-384 hash: 09147d55626f01451b1bd70d59d90731c15bb4b0e2e1b5030569192ab68b492a99485c0e0101fe4a5121a4fe4c6583a8
SHA1 hash: 17af6858b73be1b5174b3b514ce226838ca9a47b
MD5 hash: 09c486a8bbd9535e607601ac60269292
humanhash: hamper-king-sierra-washington
File name:file
Download: download sample
Signature Vidar
Create hunting rule
File size:1'938'944 bytes
First seen:2023-04-17 12:19:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:keg7eZvrKpgIpBRM6mxWT9FrLS/yJvrcs39CxJ19dUHCHRuzuEhT21wBvlClPaKe:weZvrKVpBK5VSQJgTb
Threatray 673 similar samples on MalwareBazaar
TLSH T13395D0720287BED953B98D98E49722450DCCFEBBA358D3C97CCA159B22B5564EC43CB0
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter jstrosch
Tags:.NET exe MSIL vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
250
Origin country :
US US
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-04-17 12:19:45 UTC
Tags:
stealer vidar trojan rat azorult loader
Link:
https://app.any.run/tasks/2a018178-6de8-42bf-9329-7c3346badba6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382779/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Launching a process
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Stealing user critical data
Query of malicious DNS domain
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed packed
Link:
https://www.filescan.io/uploads/643d3974000396b4e998f6e7/reports/6fe36182-8e5a-4c00-805d-1cd9cebedc53/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0cff8404e73906f3a4932e145bf57fae7a0e66a7d7952416161a5d9bb9752fd8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/24d82c68-7cb8-49e6-9703-585d98eb4952
Result
Threat name:
Azorult, Vidar, zgRAT
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1215146
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 848074 Sample: file.exe Startdate: 17/04/2023 Architecture: WINDOWS Score: 100 90 Snort IDS alert for network traffic 2->90 92 Multi AV Scanner detection for domain / URL 2->92 94 Found malware configuration 2->94 96 14 other signatures 2->96 10 file.exe 1 2->10         started        14 Raeglnlg.exe 2->14         started        16 Raeglnlg.exe 2->16         started        process3 file4 78 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 10->78 dropped 108 Self deletion via cmd or bat file 10->108 110 Injects a PE file into a foreign processes 10->110 18 file.exe 24 10->18         started        112 Multi AV Scanner detection for dropped file 14->112 114 Modifies the context of a thread in another process (thread injection) 14->114 23 Raeglnlg.exe 14->23         started        25 Raeglnlg.exe 16->25         started        signatures5 process6 dnsIp7 82 icanda.ac.ug 94.142.138.104, 49697, 49698, 49699 IHOR-ASRU Russian Federation 18->82 84 195.201.44.70, 49693, 80 HETZNER-ASDE Germany 18->84 86 2 other IPs or domains 18->86 58 C:\Users\user\AppData\Local\...\pm[1].exe, PE32+ 18->58 dropped 60 C:\Users\user\AppData\Local\...\azoa[1].exe, PE32 18->60 dropped 62 C:\ProgramData\77116365701546590421.exe, PE32 18->62 dropped 64 C:\ProgramData\54254857431332032509.exe, PE32+ 18->64 dropped 98 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->98 100 Self deletion via cmd or bat file 18->100 102 Tries to harvest and steal browser information (history, passwords, etc) 18->102 104 Tries to steal Crypto Currency Wallets 18->104 27 77116365701546590421.exe 1 18->27         started        30 54254857431332032509.exe 1 4 18->30         started        33 cmd.exe 1 18->33         started        66 C:\Users\user\AppData\Roaming\Raeglnlg.exe, PE32+ 23->66 dropped file8 signatures9 process10 file11 116 Multi AV Scanner detection for dropped file 27->116 118 Machine Learning detection for dropped file 27->118 120 Injects a PE file into a foreign processes 27->120 35 77116365701546590421.exe 62 27->35         started        80 C:\Users\user\AppData\...\Raeglnlg.exe, PE32+ 30->80 dropped 122 Modifies the context of a thread in another process (thread injection) 30->122 39 cmd.exe 1 30->39         started        42 54254857431332032509.exe 30->42         started        44 conhost.exe 33->44         started        46 timeout.exe 1 33->46         started        signatures12 process13 dnsIp14 88 icanda.ac.ug 35->88 68 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 35->68 dropped 70 C:\Users\user\AppData\Local\...\nssdbm3.dll, PE32 35->70 dropped 72 C:\Users\user\AppData\Local\Temp\...\nss3.dll, PE32 35->72 dropped 76 45 other files (2 malicious) 35->76 dropped 48 cmd.exe 35->48         started        106 Encrypted powershell cmdline option found 39->106 50 conhost.exe 39->50         started        52 powershell.exe 39->52         started        74 C:\Users\user\...\54254857431332032509.exe, PE32+ 42->74 dropped file15 signatures16 process17 process18 54 conhost.exe 48->54         started        56 timeout.exe 48->56         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0cff8404e73906f3a4932e145bf57fae7a0e66a7d7952416161a5d9bb9752fd8/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2023-04-14 18:26:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
15 of 37 (40.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bt7yibhhhedphjetfykfx5l7vz5a4zvh26ksifqwdjozxolvf7ma._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
1cf4ca22e9fae2f14ec510910ca68dbe2bdad715af613b391bcb53414ddeb19f
Vidar
417ae2d5f5111ddf80b63c443e14b70ec2052b3e64a35940c9f81f262f7e526e
Vidar
48b29546e6b607eb912ce4b9957224c9606b0df8f5fa5b0da0ba1fd7a6ec9e7c
Vidar
65a73b946adeca7edc624d85c9af02b3d607e1e65df2580a32fb143b9c40fc7f
Vidar
68346d23f359a27744b49d6ea9bd229f2929d1cee057670d2ba73545c0ba427d
Vidar
9cb4357e2a87559617f3adfcdcfe5dba5f02de53d9d7acd8cc5415bbab703e65
Vidar
c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685
Vidar
e77f29f3b57b776b5ffb2ed7fdf461702166396172d32809646ef08872894725
Vidar
ef02701e2196f54b5858bcb67a41d34fc9a5f248efdae181c701c200950d638d
Vidar
+ 663 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:vidar botnet:be67f2b288274aabb4498979305ac4e1 discovery infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/230417-phrlvsfg3z/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Azorult
Vidar
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199494593681
https://t.me/auftriebs
http://195.245.112.115/index.php
Unpacked files
SH256 hash:
0cff8404e73906f3a4932e145bf57fae7a0e66a7d7952416161a5d9bb9752fd8
MD5 hash:
09c486a8bbd9535e607601ac60269292
SHA1 hash:
17af6858b73be1b5174b3b514ce226838ca9a47b
Link:
https://www.unpac.me/results/1fe3ceb1-d38b-459b-a41a-2258267eff75/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0cff8404e739/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0cff8404e73906f3a4932e145bf57fae7a0e66a7d7952416161a5d9bb9752fd8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Links
Create hunting rule
Rule name:win_vidar_a_a901
Create hunting rule
Author:Johannes Bader
Description:detect unpacked Vidar samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 0cff8404e73906f3a4932e145bf57fae7a0e66a7d7952416161a5d9bb9752fd8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2578024/
  
URLhaus
https://urlhaus.abuse.ch/url/2257588/
  
URLhaus
https://urlhaus.abuse.ch/url/1514313/
  
URLhaus
https://urlhaus.abuse.ch/url/2254177/
  
URLhaus
https://urlhaus.abuse.ch/url/2254174/
  
URLhaus
https://urlhaus.abuse.ch/url/2141170/
  
URLhaus
https://urlhaus.abuse.ch/url/1539152/
  
URLhaus
https://urlhaus.abuse.ch/url/2271067/
  
URLhaus
https://urlhaus.abuse.ch/url/1514098/
  
URLhaus
https://urlhaus.abuse.ch/url/1596393/
  
URLhaus
https://urlhaus.abuse.ch/url/2441296/
  
URLhaus
https://urlhaus.abuse.ch/url/906880/
Cape
Cape
https://www.capesandbox.com/analysis/382779/

Comments