MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e093049b2e7265ce11c541b4f4d9125d44f668fb51ed397c51545c6b46f0fa1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e093049b2e7265ce11c541b4f4d9125d44f668fb51ed397c51545c6b46f0fa1
SHA3-384 hash: 2dfcda807967c6b64c5696ceebbb47bf184d02f0c6e571a1b8bc55e1278ef416a90549f0f8ba3ab6d4936dd3e8733ec8
SHA1 hash: 4741d4d71cbe09bab41808a29c83f28c449f3ccd
MD5 hash: 1e723a96f93d0f5a6319413595660f4b
humanhash: fruit-alpha-nitrogen-chicken
File name:file
Download: download sample
Signature Vidar
Create hunting rule
File size:276'992 bytes
First seen:2023-11-17 15:33:10 UTC
Last seen:2023-11-17 22:04:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3cbcbc585b75792bafe59018ed63eaec (1 x Vidar)
ssdeep 3072:LN/kOdzXtLYeZKpK3SYSzks/sxL4epLwTpKuQwtJl9JUeNHEKRqxYtw39i3Fb:LNciLfKpK3WQLspKuQoZJ9HmxYtwM
TLSH T1D9442B0342E17C54D92A8B729F1FE6EC772EF6508F597B7912289E2F14B02B2C263715
TrID 45.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.4% (.EXE) Win64 Executable (generic) (10523/12/4)
9.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.6% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 00020149140c2513 (1 x Vidar)
Reporter andretavare5
Tags:exe vidar


Avatar
andretavare5
Sample downloaded from http://gons20cl.top/build.exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
359
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/458964/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/655787ec0122f58791fa96d0/reports/5fd35375-b428-44df-95f2-5731f513dcfd/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/0e093049b2e7265ce11c541b4f4d9125d44f668fb51ed397c51545c6b46f0fa1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dca88594-a9f0-415b-8547-07d432a6bd70
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1344211
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking computer name)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Self deletion via cmd or bat file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected AntiVM3
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0e093049b2e7265ce11c541b4f4d9125d44f668fb51ed397c51545c6b46f0fa1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e093049b2e7265ce11c541b4f4d9125d44f668fb51ed397c51545c6b46f0fa1/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-11-17 15:34:05 UTC
File Type:
PE (Exe)
Extracted files:
51
AV detection:
21 of 23 (91.30%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=byetasns44tfzyi4kqnu6tmrexke6zupwupnhf6fcvc4nndpb6qq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/231117-szq87sbd4w/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks installed software on the system
Checks computer location settings
Deletes itself
Reads data files stored by FTP clients
Downloads MZ/PE file
Unpacked files
SH256 hash:
711e6bf949b2e82681786b011634cf98733445d02324671dbb7780e81f9c4bda
MD5 hash:
93d4a1842c8c585011d305db13d67aee
SHA1 hash:
cdbf845fc2767edab8b2162ce60112cb96ed1504
Detections:
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Link:
https://www.unpac.me/results/3a8079b6-4a53-4659-a59e-f0ac87dcd6fc/
Parent samples :
5e14a56ec2a51eafe98e9bdf632000b71c28d89ca3f73d03121445c8bead4042
0e093049b2e7265ce11c541b4f4d9125d44f668fb51ed397c51545c6b46f0fa1
SH256 hash:
0e093049b2e7265ce11c541b4f4d9125d44f668fb51ed397c51545c6b46f0fa1
MD5 hash:
1e723a96f93d0f5a6319413595660f4b
SHA1 hash:
4741d4d71cbe09bab41808a29c83f28c449f3ccd
Link:
https://www.unpac.me/results/3a8079b6-4a53-4659-a59e-f0ac87dcd6fc/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0e093049b2e7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0e093049b2e7265ce11c541b4f4d9125d44f668fb51ed397c51545c6b46f0fa1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2731344/
Cape
Cape
https://www.capesandbox.com/analysis/458964/
  
URLhaus
https://urlhaus.abuse.ch/url/2731513/

Comments