MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 159d98362df9853029651ed00cc363dbada760b2427150ffa23e7827e205b882. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 159d98362df9853029651ed00cc363dbada760b2427150ffa23e7827e205b882
SHA3-384 hash: 37a391135dbbacd9ca02a07bafaf45b5822273f3ae5a0d7c6c87faba39386bc3aba4859395b881e69f4febaf6b333046
SHA1 hash: 75404e49bda38131263d9248680f00095a2c7c10
MD5 hash: 532c1c8d138de39ab85eab26d237e864
humanhash: five-william-fillet-california
File name:532c1c8d138de39ab85eab26d237e864
Download: download sample
Signature Vidar
Create hunting rule
File size:632'320 bytes
First seen:2023-04-12 12:43:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 3072:LOhX0N7+f1E5FX4gjCO99PmzBxWkUDOmEORLOtLBCFTH9Vxr:ShEN7+W4gh99O+kU6JOJkITHp
Threatray 623 similar samples on MalwareBazaar
TLSH T123D468C27785D063EC430A704E9793DA972DFDE0EE6031636721F74E0A7AAE26E61315
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 00f0cccececed000 (1 x Vidar)
Reporter abuse_ch
Tags:exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
254
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
532c1c8d138de39ab85eab26d237e864
Verdict:
Malicious activity
Analysis date:
2023-04-12 12:45:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e113ca1b-a499-43d6-8d20-5f5a6384a7dc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/381775/
Detection(s):
SecuriteInfo.com.Win32.Trojan-gen.11814.15103.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching a process
Creating a file
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/77596/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
86%
Tags:
advpack.dll CAB hacktool installer large-file packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6436a794dc56f48483607477/reports/ec81269c-25d8-41bf-86bc-6dd31f52ef93/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/159d98362df9853029651ed00cc363dbada760b2427150ffa23e7827e205b882
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/60fa546b-551c-449a-8636-d0eb10fd9285
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1212535
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 845451 Sample: TnhvNh3ZQm.exe Startdate: 12/04/2023 Architecture: WINDOWS Score: 100 35 Malicious sample detected (through community Yara rule) 2->35 37 Yara detected Vidar stealer 2->37 39 C2 URLs / IPs found in malware configuration 2->39 41 Found many strings related to Crypto-Wallets (likely being stolen) 2->41 8 TnhvNh3ZQm.exe 1 3 2->8         started        11 rundll32.exe 2->11         started        process3 file4 27 C:\Users\user\AppData\Local\...\knowleovl.exe, PE32 8->27 dropped 13 knowleovl.exe 15 4 8->13         started        process5 dnsIp6 33 cistechnical.com 192.185.235.142, 443, 49706 UNIFIEDLAYER-AS-1US United States 13->33 49 Antivirus detection for dropped file 13->49 51 Encrypted powershell cmdline option found 13->51 53 Writes to foreign memory regions 13->53 55 2 other signatures 13->55 17 AppLaunch.exe 16 13->17         started        21 powershell.exe 14 13->21         started        signatures7 process8 dnsIp9 29 t.me 149.154.167.99, 443, 49707 TELEGRAMRU United Kingdom 17->29 31 195.201.44.70, 49708, 80 HETZNER-ASDE Germany 17->31 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->43 45 Tries to harvest and steal browser information (history, passwords, etc) 17->45 47 Tries to steal Crypto Currency Wallets 17->47 23 WerFault.exe 23 9 17->23         started        25 conhost.exe 21->25         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/159d98362df9853029651ed00cc363dbada760b2427150ffa23e7827e205b882/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-04-12 13:06:57 UTC
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cwozqnrn7gctaklfd3iazq3d3ow2oyfsijyvb75chz4cpyqfxcba._file
Verdict:
malicious
Similar samples:
385e9b22af42d606aeed4b6e375133b323c3dda11916fd7121f1bdd2256065d0
Vidar
3938e9e23562cf722e3bb98f6289351ff1ce0938f65177d3b581de5c763e90c4
Vidar
4240b655ed2af5ae8873b49e2e2d204383b2fd675c21f02527a9a4d9b719cd49
Vidar
558da56234404dd337be2a22e2493aa6c140b7688e58a17236dc95da0e5162eb
Vidar
784bb9d5ac9ba16cbfb56d482be25437effc2cca13120d5947782d7f1974ae46
Vidar
aad314e684a4195a25d580e3e203b8064b275adba10f144d1bf69126b980f2c8
Vidar
c0ee259c92c30dcd710e13a44ec8899aa527998ab2431d1e4cb1de94db939718
Vidar
c73c5027ec11576250105ea0664c33a51f3a19901c6bcbfd84d88c94f3482435
Vidar
d86b56fbb2ae739877ad2143f719b0c60df88b6d773c9f837f8490fb157ec165
Vidar
efcb0595cb5b73f253ee68105e2c5d10893b080b77a744cbef4dc33018a49e9d
Vidar
+ 613 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:0e17f083173cc2ea34d9ec9eba45b33f persistence spyware stealer
Link:
https://tria.ge/reports/230412-pykhgscc76/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Vidar
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199494593681
https://t.me/auftriebs
Unpacked files
SH256 hash:
159d98362df9853029651ed00cc363dbada760b2427150ffa23e7827e205b882
MD5 hash:
532c1c8d138de39ab85eab26d237e864
SHA1 hash:
75404e49bda38131263d9248680f00095a2c7c10
Link:
https://www.unpac.me/results/d3941ca4-6773-41c4-936a-79d19bf1c374/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/159d98362df9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/159d98362df9853029651ed00cc363dbada760b2427150ffa23e7827e205b882

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/381775/

Comments