MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e063d56d58b485532b7763965cd21d2ae9275f514d25bc8d2a0b8c008b2d4bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e063d56d58b485532b7763965cd21d2ae9275f514d25bc8d2a0b8c008b2d4bd
SHA3-384 hash: 47bc912bf1418582a2cce2fe015984e2ac27022cc164a3632aa8d1627068800a33fdbf40580aa16e0e2a49bad8cd713b
SHA1 hash: 7fccd156fd8db40eaa66371473971893b4be2e50
MD5 hash: 7b88b06cba9c11d4c41ea610a876b13f
humanhash: cardinal-monkey-utah-tango
File name:0e063d56d58b485532b7763965cd21d2ae9275f514d25bc8d2a0b8c008b2d4bd.ps1
Download: download sample
Signature Vidar
Create hunting rule
File size:26 bytes
First seen:2025-03-27 18:25:53 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 3:BHNJsNWUfM:RNCNWUfM
Threatray 6 similar samples on MalwareBazaar
TLSH TNULL
Magika txt
Reporter JAMESWT_WT
Tags:amshell-ws amssh-ws installsh-pages-dev ps1 ty-ap-4t-com vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
IT IT
Vendor Threat Intelligence
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dropper persistence
Link:
https://www.filescan.io/uploads/67e59851f274bf2d8e25f03d/reports/91d0c21e-8889-4df3-af22-0334be9a66e5/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/0e063d56d58b485532b7763965cd21d2ae9275f514d25bc8d2a0b8c008b2d4bd
Result
Verdict:
UNKNOWN
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1650505
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Monitors registry run keys for changes
Powershell drops PE file
Searches for specific processes (likely to inject)
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1650505 Sample: kpsbCW7D1x.ps1 Startdate: 27/03/2025 Architecture: WINDOWS Score: 100 90 ty.ap.4t.com 2->90 92 xandr-ms-geo.trafficmanager.net 2->92 94 70 other IPs or domains 2->94 124 Suricata IDS alerts for network traffic 2->124 126 Found malware configuration 2->126 128 Malicious sample detected (through community Yara rule) 2->128 130 8 other signatures 2->130 10 powershell.exe 16 35 2->10         started        15 powershell.exe 2->15         started        17 powershell.exe 2->17         started        19 msedge.exe 2->19         started        signatures3 process4 dnsIp5 110 jacrcell.com 179.61.12.111, 443, 49697, 49866 TECNOWEBPERUSACPE Chile 10->110 112 amshell.ws 147.45.44.233, 443, 49695 FREE-NET-ASFREEnetEU Russian Federation 10->112 120 2 other IPs or domains 10->120 74 C:\Users\user\AppData\Local\...\updater.exe, PE32+ 10->74 dropped 76 C:\Users\user\AppData\...\WindowsUpdate.ps1, ASCII 10->76 dropped 156 Found many strings related to Crypto-Wallets (likely being stolen) 10->156 158 Creates autostart registry keys with suspicious values (likely registry only malware) 10->158 160 Found suspicious powershell code related to unpacking or dynamic code loading 10->160 21 updater.exe 10->21         started        24 conhost.exe 10->24         started        78 C:\Users\user\AppData\Local\...\updater.exe, PE32+ 15->78 dropped 162 Loading BitLocker PowerShell Module 15->162 164 Powershell drops PE file 15->164 26 updater.exe 15->26         started        28 conhost.exe 15->28         started        80 C:\Users\user\AppData\Local\...\updater.exe, PE32+ 17->80 dropped 30 updater.exe 17->30         started        32 conhost.exe 17->32         started        114 192.168.2.7 unknown unknown 19->114 116 192.168.2.8 unknown unknown 19->116 118 239.255.255.250 unknown Reserved 19->118 166 Suspicious powershell command line found 19->166 168 Maps a DLL or memory area into another process 19->168 34 msedge.exe 19->34         started        37 msedge.exe 19->37         started        39 4 other processes 19->39 file6 signatures7 process8 dnsIp9 132 Antivirus detection for dropped file 21->132 134 Writes to foreign memory regions 21->134 136 Allocates memory in foreign processes 21->136 41 MSBuild.exe 53 21->41         started        45 MSBuild.exe 26->45         started        138 Injects a PE file into a foreign processes 30->138 47 MSBuild.exe 30->47         started        96 sb.scorecardresearch.com 18.164.116.57, 443, 49770, 49788 MIT-GATEWAYSUS United States 34->96 98 131.253.33.203, 443, 49864, 49865 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 34->98 100 34 other IPs or domains 34->100 signatures10 process11 dnsIp12 104 ty.ap.4t.com 88.99.125.82, 443, 49699, 49700 HETZNER-ASDE Germany 41->104 106 t.me 149.154.167.99, 443, 49698, 49867 TELEGRAMRU United Kingdom 41->106 108 127.0.0.1 unknown unknown 41->108 140 Attempt to bypass Chrome Application-Bound Encryption 41->140 142 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 41->142 144 Found many strings related to Crypto-Wallets (likely being stolen) 41->144 146 Searches for specific processes (likely to inject) 41->146 49 msedge.exe 2 9 41->49         started        52 chrome.exe 41->52         started        55 cmd.exe 41->55         started        148 Tries to harvest and steal Bitcoin Wallet information 45->148 57 msedge.exe 45->57         started        59 chrome.exe 45->59         started        61 chrome.exe 45->61         started        150 Tries to harvest and steal ftp login credentials 47->150 152 Tries to harvest and steal browser information (history, passwords, etc) 47->152 154 Tries to steal Crypto Currency Wallets 47->154 signatures13 process14 dnsIp15 122 Monitors registry run keys for changes 49->122 63 msedge.exe 49->63         started        102 192.168.2.6, 443, 49681, 49682 unknown unknown 52->102 65 chrome.exe 52->65         started        68 conhost.exe 55->68         started        70 timeout.exe 55->70         started        72 chrome.exe 59->72         started        signatures16 process17 dnsIp18 82 www.google.com 142.250.81.228, 443, 49715, 49719 GOOGLEUS United States 65->82 84 play.google.com 142.251.40.142, 443, 49732, 49739 GOOGLEUS United States 65->84 88 3 other IPs or domains 65->88 86 ogads-pa.clients6.google.com 72->86
Score:
4%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/0e063d56d58b485532b7763965cd21d2ae9275f514d25bc8d2a0b8c008b2d4bd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e063d56d58b485532b7763965cd21d2ae9275f514d25bc8d2a0b8c008b2d4bd/
Verdict:
malicious
Label(s):
vidar
Create hunting rule
Similar samples:
09d916ffc4140580a93ccba92d9d43c69675b8f118eafd24f6c1f251f129aa56
Vidar
0ffb1a03bf0c0819a9b9dd162d77de911c5a54cd43e2c2e338bb637303351244
Vidar
9e16524aaa9323007265cd74421cc60014636434e5d083018b59bbe53636572e
Vidar
b6e7e1ddaceee8c401056c0bd2e552c3545f6906b7de4b62ab3a239e5b01dfa7
Vidar
cdf481b6922c8c27c51bbcdec94f6ec41b1bfe9771beff223068ad02a14585d4
Vidar
error
Vidar
fe0d2c8f9e42e9672c51e3f1d478f9398fe88c6f31f83cadbb07d3bb064753c6
Vidar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:00cb84c6bd4caac4bdfc1131beae4df7 credential_access defense_evasion discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/250327-w3ameawwax/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Hide Artifacts: Hidden Window
Executes dropped EXE
Unsecured Credentials: Credentials In Files
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Uses browser remote debugging
Detect Vidar Stealer
Vidar
Vidar family
Malware Config
C2 Extraction:
https://t.me/lw25chm
https://steamcommunity.com/profiles/76561199839170361
Dropper Extraction:
https://jacrcell.com/joomla/crypted.exe
https://installsh.pages.dev/config.ps1
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0e063d56d58b485532b7763965cd21d2ae9275f514d25bc8d2a0b8c008b2d4bd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments