MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ffb1a03bf0c0819a9b9dd162d77de911c5a54cd43e2c2e338bb637303351244. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ffb1a03bf0c0819a9b9dd162d77de911c5a54cd43e2c2e338bb637303351244
SHA3-384 hash: d7f24a9cbe55b0e77368f779b7db1749172c48a0b02939f69a51d8d69ae380edadc05b38bf7015f8a643671ddcac964e
SHA1 hash: 28815d461bee427435b8a4c16696667408a192ce
MD5 hash: 4c56955922234090e8676ba4f9871c07
humanhash: freddie-solar-hotel-whiskey
File name:spotify.ps1
Download: download sample
Signature Vidar
Create hunting rule
File size:3'294 bytes
First seen:2025-03-27 18:27:24 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 96:j/p3PsPuPuPgsPkQPoPdPgPZPTLw8OcFW8ZMC8WdQw:j/p3PsPuPuPgsPkQPoPdPgPZPTLw8OcL
Threatray 6 similar samples on MalwareBazaar
TLSH T103616201373CE31810F843791E48D8A4D73A026E9139B864F3CCD9942F261EA5BBEB58
Magika powershell
Reporter JAMESWT_WT
Tags:amshell-ws amssh-ws installsh-pages-dev ps1 ty-ap-4t-com vidar


Avatar
JAMESWT_WT
amshell-ws
amssh-ws
installsh-pages-dev

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
IT IT
Vendor Threat Intelligence
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dropper lolbin msbuild packed persistence
Link:
https://www.filescan.io/uploads/67e598c5f274bf2d8e25f0fc/reports/380f1f79-23c1-4eb5-bca3-b12e2cfd5487/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/0ffb1a03bf0c0819a9b9dd162d77de911c5a54cd43e2c2e338bb637303351244
Result
Verdict:
SUSPICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1650507
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Powershell drops PE file
Searches for specific processes (likely to inject)
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1650507 Sample: spotify.ps1 Startdate: 27/03/2025 Architecture: WINDOWS Score: 100 82 ty.ap.4t.com 2->82 84 www.google.com 2->84 86 7 other IPs or domains 2->86 110 Suricata IDS alerts for network traffic 2->110 112 Found malware configuration 2->112 114 Malicious sample detected (through community Yara rule) 2->114 116 9 other signatures 2->116 10 powershell.exe 16 36 2->10         started        15 powershell.exe 2->15         started        17 powershell.exe 2->17         started        19 2 other processes 2->19 signatures3 process4 dnsIp5 96 jacrcell.com 179.61.12.111, 443, 49682, 49857 TECNOWEBPERUSACPE Chile 10->96 98 installsh.pages.dev 172.66.44.75, 443, 49850 CLOUDFLARENETUS United States 10->98 68 C:\Users\user\AppData\Local\...\updater.exe, PE32+ 10->68 dropped 70 C:\Users\user\AppData\...\WindowsUpdate.ps1, ASCII 10->70 dropped 142 Found many strings related to Crypto-Wallets (likely being stolen) 10->142 144 Creates autostart registry keys with suspicious values (likely registry only malware) 10->144 146 Found suspicious powershell code related to unpacking or dynamic code loading 10->146 21 updater.exe 10->21         started        24 conhost.exe 10->24         started        72 C:\Users\user\AppData\Local\...\updater.exe, PE32+ 15->72 dropped 148 Loading BitLocker PowerShell Module 15->148 150 Powershell drops PE file 15->150 26 updater.exe 15->26         started        28 conhost.exe 15->28         started        74 C:\Users\user\AppData\Local\...\updater.exe, PE32+ 17->74 dropped 30 conhost.exe 17->30         started        100 192.168.2.5 unknown unknown 19->100 102 239.255.255.250 unknown Reserved 19->102 32 msedge.exe 19->32         started        35 msedge.exe 19->35         started        37 msedge.exe 19->37         started        39 msedge.exe 19->39         started        file6 signatures7 process8 dnsIp9 120 Antivirus detection for dropped file 21->120 122 Writes to foreign memory regions 21->122 124 Allocates memory in foreign processes 21->124 41 MSBuild.exe 53 21->41         started        45 MSBuild.exe 21->45         started        126 Injects a PE file into a foreign processes 26->126 47 MSBuild.exe 26->47         started        49 MSBuild.exe 26->49         started        76 sb.scorecardresearch.com 18.164.116.39, 443, 49750, 49768 MIT-GATEWAYSUS United States 32->76 78 ax-0003.ax-msedge.net 150.171.27.12, 443, 49752 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 32->78 80 30 other IPs or domains 32->80 signatures10 process11 dnsIp12 90 ty.ap.4t.com 88.99.125.82, 443, 49684, 49685 HETZNER-ASDE Germany 41->90 92 t.me 149.154.167.99, 443, 49683, 49859 TELEGRAMRU United Kingdom 41->92 94 127.0.0.1 unknown unknown 41->94 128 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 41->128 130 Found many strings related to Crypto-Wallets (likely being stolen) 41->130 132 Tries to harvest and steal ftp login credentials 41->132 140 2 other signatures 41->140 51 msedge.exe 2 9 41->51         started        54 chrome.exe 41->54         started        57 cmd.exe 41->57         started        134 Attempt to bypass Chrome Application-Bound Encryption 45->134 136 Searches for specific processes (likely to inject) 45->136 138 Tries to harvest and steal browser information (history, passwords, etc) 47->138 signatures13 process14 dnsIp15 118 Monitors registry run keys for changes 51->118 59 msedge.exe 51->59         started        88 192.168.2.8, 138, 443, 49294 unknown unknown 54->88 61 chrome.exe 54->61         started        64 conhost.exe 57->64         started        66 timeout.exe 57->66         started        signatures16 process17 dnsIp18 104 ogads-pa.clients6.google.com 142.250.65.170, 443, 49715, 49717 GOOGLEUS United States 61->104 106 www.google.com 142.250.81.228, 443, 49702, 49707 GOOGLEUS United States 61->106 108 3 other IPs or domains 61->108
Score:
71%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/0ffb1a03bf0c0819a9b9dd162d77de911c5a54cd43e2c2e338bb637303351244
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ffb1a03bf0c0819a9b9dd162d77de911c5a54cd43e2c2e338bb637303351244/
Threat name:
Win32.Dropper.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-03-23 15:18:54 UTC
File Type:
Text (PowerShell)
AV detection:
1 of 36 (2.78%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b75rua57bqebtknz3ulc2566seofuvgniprmfyzyxnrxgazvcjca._file
Verdict:
malicious
Label(s):
vidar
Create hunting rule
Similar samples:
09d916ffc4140580a93ccba92d9d43c69675b8f118eafd24f6c1f251f129aa56
Vidar
0e063d56d58b485532b7763965cd21d2ae9275f514d25bc8d2a0b8c008b2d4bd
Vidar
9e16524aaa9323007265cd74421cc60014636434e5d083018b59bbe53636572e
Vidar
b6e7e1ddaceee8c401056c0bd2e552c3545f6906b7de4b62ab3a239e5b01dfa7
Vidar
cdf481b6922c8c27c51bbcdec94f6ec41b1bfe9771beff223068ad02a14585d4
Vidar
error
Vidar
fe0d2c8f9e42e9672c51e3f1d478f9398fe88c6f31f83cadbb07d3bb064753c6
Vidar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:00cb84c6bd4caac4bdfc1131beae4df7 credential_access defense_evasion discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/250327-w4e9aaykx9/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Hide Artifacts: Hidden Window
Executes dropped EXE
Unsecured Credentials: Credentials In Files
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Uses browser remote debugging
Detect Vidar Stealer
Vidar
Vidar family
Malware Config
C2 Extraction:
https://t.me/lw25chm
https://steamcommunity.com/profiles/76561199839170361
Dropper Extraction:
https://jacrcell.com/joomla/crypted.exe
https://installsh.pages.dev/config.ps1
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0ffb1a03bf0c0819a9b9dd162d77de911c5a54cd43e2c2e338bb637303351244

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:SUSP_PowerShell_Base64_Decode
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects PowerShell code to decode Base64 data. This can yield many FP

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments