MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17fda4fb35aa42510fe2ae20d26a6d74ee65075ce95a084c32ca9548a58838a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17fda4fb35aa42510fe2ae20d26a6d74ee65075ce95a084c32ca9548a58838a0
SHA3-384 hash: f7b98a1ef4c20343227cb113bc48a3dd090428f1f1d611ba103d39fb475eadee0e5f9aed48324929044e785aa3138015
SHA1 hash: 4c7f18fc0fc379e232df0303dd80654d693e45b5
MD5 hash: 2353ef140fcfb38add13c74b388b710d
humanhash: echo-seven-coffee-mockingbird
File name:2353ef140fcfb38add13c74b388b710d.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:297'472 bytes
First seen:2023-10-06 07:53:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 046dfae6c2280fbc36820b8f28604732 (3 x Smoke Loader, 2 x Tofsee, 2 x GCleaner)
ssdeep 6144:w1S2o9ph6wYDkInQFXYFed9jjzehAMwr71V82IXRn:ws20ZUZFijzehAMz2S
Threatray 16 similar samples on MalwareBazaar
TLSH T1B4540122B890DCB6C40B517D4431CAF0AB7D742196998A8B3B5836FF7E2C6C0D72BB45
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 080828480a0b0600 (1 x Vidar)
Reporter abuse_ch
Tags:exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
308
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/17fda4fb35aa42510fe2ae20d26a6d74ee65075ce95a084c32ca9548a58838a0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6438e85a-a420-49e4-ad7f-22ff2f83cc87
Result
Threat name:
SystemBC, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1320771
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected SystemBC
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1320771 Sample: fsGU8jdv8x.exe Startdate: 06/10/2023 Architecture: WINDOWS Score: 100 45 transfer.sh 2->45 47 t.me 2->47 63 Multi AV Scanner detection for domain / URL 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 10 other signatures 2->69 8 fsGU8jdv8x.exe 38 2->8         started        13 powershell.exe 11 2->13         started        15 powershell.exe 2->15         started        signatures3 process4 dnsIp5 49 116.202.7.149, 27015, 49694 HETZNER-ASDE Germany 8->49 51 t.me 149.154.167.99, 443, 49693 TELEGRAMRU United Kingdom 8->51 53 transfer.sh 144.76.136.153, 443, 49702 HETZNER-ASDE Germany 8->53 35 C:\ProgramData\softokn3.dll, PE32 8->35 dropped 37 C:\ProgramData\nss3.dll, PE32 8->37 dropped 39 C:\ProgramData\mozglue.dll, PE32 8->39 dropped 41 4 other files (2 malicious) 8->41 dropped 71 Detected unpacking (changes PE section rights) 8->71 73 Detected unpacking (overwrites its own PE header) 8->73 75 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 8->75 77 3 other signatures 8->77 17 33409713125882810320.exe 1 8->17         started        21 WerFault.exe 21 16 8->21         started        23 33409713125882810320.exe 13->23         started        25 conhost.exe 13->25         started        27 33409713125882810320.exe 15->27         started        29 conhost.exe 15->29         started        file6 signatures7 process8 dnsIp9 43 89.187.184.206, 4299, 49710 CDN77GB Czech Republic 17->43 55 Multi AV Scanner detection for dropped file 17->55 57 Detected unpacking (changes PE section rights) 17->57 59 Detected unpacking (overwrites its own PE header) 17->59 61 3 other signatures 17->61 31 WerFault.exe 21 23->31         started        33 WerFault.exe 21 27->33         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/17fda4fb35aa42510fe2ae20d26a6d74ee65075ce95a084c32ca9548a58838a0/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-10-06 03:22:10 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
26 of 36 (72.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c762j6zvvjbfcd7cvyqne2tnotxgkb245fnaqtbszkkurjmihcqa._file
Verdict:
malicious
Similar samples:
0249c64b8858a7ba84f14c058f7a10d41ef807eb4f015ee34c6b388a3a2f1804
Vidar
34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
Vidar
5b4bced547eb17aa796a64c58e89f9d96e56edab6596e02ec13801bf5d452b97
Vidar
786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957
Vidar
886342b2453f5e52cc908b181da9ddfd3d47ba2b63e85a8e00a23253c1d51192
Vidar
e065676a6d3fd822fed9b2a99771a1355035f63873142fa3999cb69659a984d8
Vidar
+ 6 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:e22d2e68f8601f5538d68ac735f8c50d discovery spyware stealer
Link:
https://tria.ge/reports/231006-jrjpqabh92/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Vidar
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199557479327
https://t.me/grizmons
Unpacked files
SH256 hash:
f7f9a953be3d12cffa8768085fac0a695fe3df75abb34620f6e9925b3ea65f1d
MD5 hash:
dd4b9f815d8eb6a500cd3fc3ae8e1fac
SHA1 hash:
b6a53917917f0f0366cb399f44648eaf5d8679d2
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/7ddc89b2-7421-4740-94e8-cfeac473c1e8/
Parent samples :
17fda4fb35aa42510fe2ae20d26a6d74ee65075ce95a084c32ca9548a58838a0
b68a9b870d86b1693834b550d706cb9b2582309e669bfe09a43601b81605d494
SH256 hash:
17fda4fb35aa42510fe2ae20d26a6d74ee65075ce95a084c32ca9548a58838a0
MD5 hash:
2353ef140fcfb38add13c74b388b710d
SHA1 hash:
4c7f18fc0fc379e232df0303dd80654d693e45b5
Link:
https://www.unpac.me/results/7ddc89b2-7421-4740-94e8-cfeac473c1e8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/17fda4fb35aa42510fe2ae20d26a6d74ee65075ce95a084c32ca9548a58838a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 17fda4fb35aa42510fe2ae20d26a6d74ee65075ce95a084c32ca9548a58838a0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2717185/
  
Delivery method
Distributed via web download

Comments