MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12b053ff554ab6a4db909b0ee33f419b09f1f0f8a6612ae9773db3451e6d166a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments 1

SHA256 hash:	12b053ff554ab6a4db909b0ee33f419b09f1f0f8a6612ae9773db3451e6d166a
SHA3-384 hash:	64503cbc317d87d6d959c435621eee41f3dddbdcb53c5cdb89142b1346d7fc1cef3189f85731decc1194f5055b849d5e
SHA1 hash:	2d70248fc6fec261971b4b74c09794d55239e8f5
MD5 hash:	e3ab1a19bbe6091e10550086c676e189
humanhash:	alaska-table-white-princess
File name:	e3ab1a19bbe6091e10550086c676e189
Download:	download sample
Signature	Vidar Create hunting rule
File size:	2'087'936 bytes
First seen:	2023-02-06 16:31:28 UTC
Last seen:	2023-02-06 18:36:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b257eea5cf0297535608947d55f88f6b (2 x RedLineStealer, 1 x Vidar)
ssdeep	12288:ItI83H5skVTTE5ZhYBZ4AZa7tbsQDysckC0eh9/5z9:IpsLOBZ4oaDen
Threatray	1'251 similar samples on MalwareBazaar
TLSH	T19BA5BF90E3E28576DA2016F114F4A9726BED77DF46818DE763F77B1A0A29080F35329C
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	zbetcheckin
Tags:	32 exe vidar

Intelligence

File Origin

# of uploads :

# of downloads :

217

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

e3ab1a19bbe6091e10550086c676e189

Verdict:

Malicious activity

Analysis date:

2023-02-06 16:34:06 UTC

Tags:

stealer vidar trojan

Link:

https://app.any.run/tasks/8e19d7b3-7f29-417e-8f9e-e6d5cd202fdc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/360983/

Detection(s):

SecuriteInfo.com.W32.Kryptik.HSIR.tr.18441.27650.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Сreating synchronization primitives

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Using the Windows Management Instrumentation requests

Creating a window

Running batch commands

Creating a process with a hidden window

Stealing user critical data

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/65852/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/63e12b86416d38777a7a9b58/reports/9d01ed7b-e79f-4f89-8bf9-cc8812f4dea9/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/12b053ff554ab6a4db909b0ee33f419b09f1f0f8a6612ae9773db3451e6d166a

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ef11b131-84ac-4410-a66a-2e0906cbac52

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1166844

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to compare user and computer (likely to detect sandboxes)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/12b053ff554ab6a4db909b0ee33f419b09f1f0f8a6612ae9773db3451e6d166a/

Threat name:

Win32.Trojan.Pwsx

Status:

Malicious

First seen:

2023-02-06 16:32:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ckyfh72vjk3kjw4qtmhogp2btme7d4hyuzqsv2lxhwzukhtnczva._file

Verdict:

malicious

Vidar

366e015f3ab40776810c6c6b3e2c26c294311ff0b7f3232ce7ad2a3445649301

Vidar

4e8575081ab4e714f413c5cbe83141127d397da4df656fe28f2a1c42356dbb65

Vidar

62fb38640d60c70e8701cc74ebdfc7bf75b4e0274f0daa778ddef889abd3050e

Vidar

6799039398f64ecaae8d532ce14fd2187e889d18ec9cf14b6d8dfc653a31584f

Vidar

934be33621f60d5c6026af662631a4de2c054ccd0f132b268e721c73afc8aa37

Vidar

ad4e377633b5f0a87ad2a4a6b741615016de79605225737fc4ba5c70308c5e68

Vidar

db63bcace9a0c31bb174200f93661ff44664634a56b4c05145bbf382d33451f8

Vidar

ee80016e8f3281ce593898821850463ae7bff86c63be1fcc79d15333531e791d

Vidar

+ 1'241 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:694 spyware stealer

Link:

https://tria.ge/reports/230206-t12xrsab3t/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Loads dropped DLL

Uses the VBS compiler for execution

Vidar

Unpacked files

SH256 hash:

392b370db5aa9f8b79cdad8464a0c08191dd99049a76f3c094417441b0c53333

MD5 hash:

333f06d13da31aa9ec588a6215412cee

SHA1 hash:

c1e4d00e64178a3e04901eb7fa313ebd7203256f

Detections:

VidarStealer

Link:

https://www.unpac.me/results/e2016a20-f323-4ea0-9cb8-49f79690bf21/

SH256 hash:

12b053ff554ab6a4db909b0ee33f419b09f1f0f8a6612ae9773db3451e6d166a

MD5 hash:

e3ab1a19bbe6091e10550086c676e189

SHA1 hash:

2d70248fc6fec261971b4b74c09794d55239e8f5

Link:

https://www.unpac.me/results/e2016a20-f323-4ea0-9cb8-49f79690bf21/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/12b053ff554a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/12b053ff554ab6a4db909b0ee33f419b09f1f0f8a6612ae9773db3451e6d166a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents