MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c9264473281f0d5144912a8c05d803697c7da8707cd5607017e6936d2fa1588. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c9264473281f0d5144912a8c05d803697c7da8707cd5607017e6936d2fa1588
SHA3-384 hash: 3bfc8e00167000633efd0c636867e8a5b78249cae4b39649d68a09ba6613ca27d4f491757de0819cc6651e5c23f99a00
SHA1 hash: d5f4e666ca2b2cab3451ff784659cc22b4957a49
MD5 hash: 11f82e84e17670912b1f93c827ed7f35
humanhash: eight-social-music-muppet
File name:SZOI-Wyciek-20-03-2023.xll
Download: download sample
Signature Vidar
Create hunting rule
File size:735'744 bytes
First seen:2023-03-26 15:25:52 UTC
Last seen:Never
File type:Excel file xll
MIME type:application/x-dosexec
imphash a31761b5a590c4c499d5f4a347d75c12 (23 x Formbook, 17 x AgentTesla, 6 x RedLineStealer)
ssdeep 12288:5n/zDvGHAykHSzLW/4+8bzbBSreMdCQ4gLuUkvSK/7gFK/UqW53:dzbGHAzHAjX1yq3vSK/rcL
Threatray 134 similar samples on MalwareBazaar
TLSH T10EF4AE57F7C7FAB0E6BE827A82B1851C527774520260A78F674076896E23392493DF0F
TrID 58.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
34.3% (.OCX) Windows ActiveX control (116521/4/18)
3.0% (.EXE) Win64 Executable (generic) (10523/12/4)
1.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.3% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter 0xToxin
Tags:vidar xll

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SZOI-Wyciek-20-03-2023.xll
Verdict:
No threats detected
Analysis date:
2023-03-26 15:27:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/10e9852e-8c54-4cd2-9e79-d46fd5307ab6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Artemis4EBC548DF517.17970.15145.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Office Add-Ins - Suspicious
Link:
https://app.docguard.net/1c9264473281f0d5144912a8c05d803697c7da8707cd5607017e6936d2fa1588/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6420640c80ca4ca1ff5969f2/reports/faa4201a-fd3d-41b4-b31e-76597a5719c0/overview
Verdict:
Malicious
Labled as:
Trojan.Crypt
Link:
https://www.hybrid-analysis.com/sample/1c9264473281f0d5144912a8c05d803697c7da8707cd5607017e6936d2fa1588
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1202172
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 835077 Sample: SZOI-Wyciek-20-03-2023.xll Startdate: 26/03/2023 Architecture: WINDOWS Score: 48 12 Multi AV Scanner detection for submitted file 2->12 6 cmd.exe 7 2 2->6         started        process3 process4 8 EXCEL.EXE 24 23 6->8         started        10 conhost.exe 6->10         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c9264473281f0d5144912a8c05d803697c7da8707cd5607017e6936d2fa1588/
Threat name:
ByteCode-MSIL.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2023-03-21 09:04:15 UTC
File Type:
PE+ (Dll)
Extracted files:
2
AV detection:
20 of 37 (54.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dsjgirzsqhynkfcjckumaxmag2l4pwuha7gvmbybpzutnux2cwea._file
Verdict:
unknown
Similar samples:
11f043be592062ab85382581c73702cdb772b8292e7de1f84d63da3e8a13caa1
Vidar
86a8ee23cb943b383835eb2ba8bc513641ee6953ba1715832a8a485931054273
Vidar
983ffa1a7513ab6d015e1c4785bda2a2f20a47bf6091773db9341ebcdaf84e93
Vidar
aaa77ce4b5341185c016e9cc4f28c16b5e3f8e544f3dff6a66e33718c2775088
Vidar
b3f6afb079d5d25bea3a043d033091d5a0a8fde399c900a6337bc5e1dd65d279
Vidar
c5617b10a4b7bc7f4f5b457ad59744510d9dee0ee0dd84f1f7882e29e70c1139
Vidar
c7ecbd646727c85760706a61c2283909c13cb5cd80f51f3ce5af83ed438d293d
Vidar
cdac614b0ddd13a7de4b73ae76b8d351b63114677c1d40c70bf0d921ff1f6861
Vidar
d340898f14aaa9f884b022b4be1b849eae4be5e275432348dc6bcb1fa09e28cb
Vidar
dba5353ab99e0d16f30cf5ee5f1f160493b9a9b6364c71197e573f81e4145e75
Vidar
+ 124 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:e37abeff0df24a473dacaf8467d6fa48 discovery spyware stealer
Link:
https://tria.ge/reports/230326-st7c8sah8s/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Process spawned unexpected child process
Vidar
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1c9264473281f0d5144912a8c05d803697c7da8707cd5607017e6936d2fa1588

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Find_Any_Xll_Files
Create hunting rule
Author:David Ledbetter @Ledtech3
Description:Find Any XLL File
Rule name:Hunt_Excel_DNA_Built_XLL_Files
Create hunting rule
Author:David Ledbetter @Ledtech3
Description:Hunt for Excel Addin dll files generated with Excel-DNA builder https://excel-dna.net/
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments