MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17bc5b41b35d894b37224e5daa66e2c7326e10a8309e299af122c6602afc953e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17bc5b41b35d894b37224e5daa66e2c7326e10a8309e299af122c6602afc953e
SHA3-384 hash: fcf3e4396872238e291dd7e84b56216cc6f73f68ba3f7f6a943e494b56783b0089546fad55529681350fa2c4f9a3d820
SHA1 hash: bf2cc6fe244d17f05d0185d17758fd726562afee
MD5 hash: c1ab7781370290e0f7d8ea98705e8c84
humanhash: nitrogen-violet-wolfram-arizona
File name:main.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:3'337'728 bytes
First seen:2025-02-13 17:25:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash adfb5165841ec7e1fff9b4b9d3b4ceb0 (1 x Vidar, 1 x LummaStealer)
ssdeep 98304:fLpbNHeg4DbSYB5rkUQD4xxmIQV0ymRNmQP:fLpbN+g4n/kUQ4/QVoiQP
Threatray 29 similar samples on MalwareBazaar
TLSH T14CF5297023509345F1B265FF56FA23EA64A9EB72072FF4C347942998D627EF86831813
TrID 46.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
25.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.5% (.EXE) Win64 Executable (generic) (10522/11/4)
5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
File icon (PE):PE icon
dhash icon 60c0c098acccc8e9 (1 x Vidar, 1 x LummaStealer)
Reporter Anonymous
Tags:exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
495
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1.png
Verdict:
Malicious activity
Analysis date:
2025-02-13 15:19:32 UTC
Tags:
telegram stealer
Link:
https://app.any.run/tasks/17b2c8fb-f35a-47ff-b3d6-23243ba2f9b7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ae2b0aa0fd713c335ac2fb
Tags:
virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
fingerprint microsoft_visual_cc obfuscated
Link:
https://www.filescan.io/uploads/67ae2b0bde8d8ae2bd453e0f/reports/b7060f5c-91a6-4d33-8b01-7f6ff90b8b39/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/17bc5b41b35d894b37224e5daa66e2c7326e10a8309e299af122c6602afc953e
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/baa5a1bb-d096-4120-b8aa-3b409149e4fb
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1614466
Signature
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Searches for specific processes (likely to inject)
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1614466 Sample: main.exe Startdate: 13/02/2025 Architecture: WINDOWS Score: 100 30 webdisk.lodrat.org 2->30 32 t.me 2->32 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 4 other signatures 2->50 8 main.exe 28 2->8         started        signatures3 process4 dnsIp5 34 webdisk.lodrat.org 88.99.124.230, 443, 49987, 49996 HETZNER-ASDE Germany 8->34 36 t.me 149.154.167.99, 443, 49979 TELEGRAMRU United Kingdom 8->36 38 127.0.0.1 unknown unknown 8->38 52 Attempt to bypass Chrome Application-Bound Encryption 8->52 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 8->54 56 Found many strings related to Crypto-Wallets (likely being stolen) 8->56 58 5 other signatures 8->58 12 chrome.exe 8->12         started        15 cmd.exe 1 8->15         started        signatures6 process7 dnsIp8 40 192.168.2.4, 138, 443, 49630 unknown unknown 12->40 42 239.255.255.250 unknown Reserved 12->42 17 chrome.exe 12->17         started        20 conhost.exe 15->20         started        22 timeout.exe 1 15->22         started        process9 dnsIp10 24 play.google.com 142.250.184.238, 443, 50029 GOOGLEUS United States 17->24 26 www.google.com 142.250.186.132, 443, 50016, 50017 GOOGLEUS United States 17->26 28 2 other IPs or domains 17->28
Score:
34%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/17bc5b41b35d894b37224e5daa66e2c7326e10a8309e299af122c6602afc953e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/17bc5b41b35d894b37224e5daa66e2c7326e10a8309e299af122c6602afc953e/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2025-02-13 17:25:34 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c66fwqntlweuwnzcjzo2uzxcy4zg4efigcpctgxreldgakx4su7a._file
Verdict:
malicious
Label(s):
vidar_2025
Create hunting rule
Similar samples:
07734e9f8689ed74c903c78daa0c429129e20a11fa72460e558fb94618219bc7
Vidar
17bc5b41b35d894b37224e5daa66e2c7326e10a8309e299af122c6602afc953e
Vidar
19198e75f7c830441360a42b06e10415f4368300a7590c119c237ea8c67bf23e
Vidar
aa226ab5c6754cbbf77de7e20a0bf76529cd7a7b1066df846c15aa89f6cbd0a1
Vidar
d0ebe35a902832fbd856e5a03d770c5cf1d7ba9c9418a51bda6d9b0698771841
Vidar
efbd528c8ed8c5253b5e191eedc85e30f75778a417b5f427da115e7f44d9dd47
Vidar
error
Vidar
+ 19 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/250213-vzelhszrcr/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Downloads MZ/PE file
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/886e4ac4-9aff-47ea-8834-c7821446da4c
Unpacked files
SH256 hash:
17bc5b41b35d894b37224e5daa66e2c7326e10a8309e299af122c6602afc953e
MD5 hash:
c1ab7781370290e0f7d8ea98705e8c84
SHA1 hash:
bf2cc6fe244d17f05d0185d17758fd726562afee
Link:
https://www.unpac.me/results/58f2c498-536f-4499-90f0-a5f0bb2fc9a0/
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/17bc5b41b35d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/17bc5b41b35d894b37224e5daa66e2c7326e10a8309e299af122c6602afc953e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 17bc5b41b35d894b37224e5daa66e2c7326e10a8309e299af122c6602afc953e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3438228/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::ReadConsoleOutputW
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleInputW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::ReadConsoleOutputCharacterW
KERNEL32.dll::ReadConsoleOutputAttribute
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateFileW
KERNEL32.dll::SetDllDirectoryW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::QueryDosDeviceW
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::QueryServiceConfigW
ADVAPI32.dll::QueryServiceConfig2W
ADVAPI32.dll::QueryServiceLockStatusW
ADVAPI32.dll::QueryServiceStatus
ADVAPI32.dll::QueryServiceStatusEx
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW

Comments