MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d
SHA3-384 hash: 4d502d6d940055c60d4a1053145f8ee83db57b746c2ff6bdd9983aa4d728a6c50550cc043febc5deb987fad9fc315e0a
SHA1 hash: 78a00b190d88eaf514b5bf2af754681795de9e44
MD5 hash: 4f3ddd6692d604ecf2bd37d93d0f2387
humanhash: bravo-mockingbird-april-alabama
File name:file
Download: download sample
Signature Vidar
Create hunting rule
File size:4'301'312 bytes
First seen:2024-09-26 18:12:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 98304:9BkNhx7tr/K0pB+km2inP8I0zJDd0TfuBUR8/Rg:9BkNVbiP8fDd0yBUy/q
TLSH T163163357932C48D0F27A11F987339F512AB88D2650BCB27D42D87E6D28F53523DAB683
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon fee08ababaaebe80 (1 x Vidar)
Reporter Bitsight
Tags:exe vidar


Avatar
Bitsight
url: http://147.45.44.104/yuop/66f5a3dbd9df9_ParentingContractor.exe#angry

Intelligence

File Origin
# of uploads :
1
# of downloads :
447
Origin country :
US US
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-09-26 18:15:20 UTC
Tags:
autoit-loader vidar stealer
Link:
https://app.any.run/tasks/88e895fe-0cda-4af1-aafd-335f8a73a4a1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f5a43156c487103d52ecf7
Tags:
Encryption Execution Generic Network Stealth Trojan Ransomware Emotet Autoit Tori
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Moving a file to the %temp% directory
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
DNS request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin microsoft_visual_cc overlay packed shell32
Link:
https://www.filescan.io/uploads/66f5a430931f3fd96abe82a2/reports/5bc492b3-87c8-4c20-8cec-4cf743664488/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e07349bc-9db5-4fbc-913a-b7dcb8bd10d4
Result
Threat name:
n/a
Detection:
malicious
Classification:
rans.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1519664
Signature
AI detected suspicious sample
Drops PE files with a suspicious file extension
Sigma detected: Search for Antivirus process
Writes many files with high entropy
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519664 Sample: file.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 60 39 MOeNabJLuIqmcaKh.MOeNabJLuIqmcaKh 2->39 41 GKvzvTlzHPQbFyfUUanEp.GKvzvTlzHPQbFyfUUanEp 2->41 43 Sigma detected: Search for Antivirus process 2->43 45 AI detected suspicious sample 2->45 8 file.exe 64 2->8         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\Temp\Temporary, data 8->29 dropped 31 C:\Users\user\AppData\Local\Temp\Sony, data 8->31 dropped 33 C:\Users\user\AppData\Local\Temp\Senator, data 8->33 dropped 35 45 other malicious files 8->35 dropped 47 Writes many files with high entropy 8->47 12 cmd.exe 2 8->12         started        signatures6 process7 file8 37 C:\Users\user\AppData\Local\Temp\...\Fly.pif, PE32 12->37 dropped 49 Drops PE files with a suspicious file extension 12->49 51 Writes many files with high entropy 12->51 16 cmd.exe 2 12->16         started        19 cmd.exe 2 12->19         started        21 Fly.pif 12->21         started        23 9 other processes 12->23 signatures9 process10 file11 25 C:\Users\user\AppData\Local\Temp\159317\w, data 16->25 dropped 27 C:\Users\user\AppData\Local\Temp\159317\p, data 19->27 dropped
Score:
74%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-09-26 18:42:33 UTC
File Type:
PE (Exe)
Extracted files:
52
AV detection:
5 of 23 (21.74%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dvilnzbnt3nw27xec6a7gklsgspmytwc5kxpi2jotfgild5ykuoq._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:8804a4f27e22750a8baa49e881ddca35 credential_access discovery execution spyware stealer
Link:
https://tria.ge/reports/240926-wtql9stdkf/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Detect Vidar Stealer
Vidar
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f394f18b-b273-438a-ae8a-385a8f56344e
Unpacked files
SH256 hash:
0a6b558dc092b4f6bce802a6407fe468f7b973c82db36e2d7a0d0db5635838b4
MD5 hash:
1fbd01ee768b7c4abfd2783a4707a072
SHA1 hash:
15288415ec755c2673da3c716386abfdd35aaaed
Link:
https://www.unpac.me/results/d84154f3-f74e-4929-aae4-03c23c25c9c8/
SH256 hash:
b9bf4047e74f2e8fc52b9b37c85ada27577c66002ed82c0e2a9e47d661393260
MD5 hash:
d2434c632d177291c993ae660ee7dd83
SHA1 hash:
d7e274ea50897e4b857e7f984647b5d2b3ec8e3b
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/d84154f3-f74e-4929-aae4-03c23c25c9c8/
SH256 hash:
a92031c3f754070e8bca0a769b0c68828ad892aea84e79ea0c5309fc83a2bb0b
MD5 hash:
8dbba0d76f33bfe16abc6c9289329a79
SHA1 hash:
1d04f42c4e79d7af48e478c58c20ac4f610ba83a
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/d84154f3-f74e-4929-aae4-03c23c25c9c8/
Parent samples :
464e16f6d92d3c9eddeef69f7b1416fefb97817732155fe3549f37986d26fc44
bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295
8febc589fc4de7b009d3e406fddba66e389d5544bc5fad44d03f712ebf6c2bfa
de28cb5b2edea76c01a92ea416b5340c63c7c43aafc2ca0b9b4dafc6b9e51cbb
1ef7ccb345b2132b8e1a38bdef87dd47a0a0588603703ee63a201a9a8b5ba51d
e6db7d34b498982601b2c45ac5b2a1c1b9502e502514ccffae9862f2aa719f42
bf554462c091219488a1a53fff22213df8d9530fa6ff0f59033b0c9ee9173555
7b217c20a30ab1bdc4534f4adb62df226d128ec4d03c0eb2feb5ab35d2b7dc9f
92a24e160937ec00bd6a8e855cd55b9329760131c1412f35b18c92aacc299883
b7763f18a43e9727036d685576fe102901f45fd1b9407395bbc10966a9811d25
d480b6efcf1ccdc3a7cf4c1d22839e27e9701758b19c0a197b049b66bdcfe870
07d538c1cab4f197f08f0d1811a2e3538e373659e25bc08d129fe4caf631048a
049eaf34a048a80c4bdac29dbe453169f2b0927caec3e397c1b9eff016b9b415
0b3e1e30dae8e83d9e3832c6cb382dcfce5634a3f0d1610c575d890db11c77c7
3ec49e14a495f9bdafb8944db9125c0e8f7f4258c285962df393c8918b0665dd
f5dbb1b4280665ed5d85392c1f7050e4c15764ab222ccc2fbb63b0dcd7846507
b6c12a25d818dde41b6b677104f2f3de495a8175af811b5a71fc91e43c12c3fc
4c05c9ade0f5fa4dda9a53c74f8bc41c3ab59d29203dc11c2f5cc99a5dbf7df1
e5e142eea2e5369d6ddef616cd7acf6816ae9e194a77c00214be8575b983dc2f
891306bc14e8d196e6f229dfe9d713bb1e81af30efe5ea786672648cbe6fd032
69f1a8cbd899c9d340e4543d18fd75f5d2fdaaf1441b6c0c39b1ec2308408162
df4acc3856a25841fd14f01346473c85f5bc578d33daa488f78a59ca5649bef6
d5526528363ceeb718d30bc669038759c4cd80a1d3e9c8c661b12b261dcc9e29
4c26dd1754f1bd8da1c39bc2c7721d5bccbd6403d56f0370c53ee4d518167874
c37ae928bbfd115a32dbf0060e1a2d191a06cab66c7251796f1fb7212fc8c8ff
db1f9839eadfd7dc8c75c497af90215be8559501b4122a17218c59429833154c
0213e39792ac0c5b66491f90c4b0fc4afdd84f40944922cab8a3bcdb1cf88cfc
6f2c63f929acd8918c8f21f6141d1b13ca35a2b291d2d8d66771c80f481aea49
08f30ece5f7e77a69e58a970b3684c2a0eba1aa203ac97836dad32fc10a15e90
1c2ec4c72c2f31a327b6ba4dfe27a607d311578e25d96cf34c54845eea986f36
913c27a9d6e08e37f8fee60c6d5f424d8e220c930071baea68390aaa028ebc72
88f8b8834398bc8a18142466e963d14d08898c94aeef62f20209050fb08e7f1d
b8ed5a17150da2a420cc39505357223261437d4e99ce94599a7ffdbbfe71e6cf
c234e9cdff26c9f27b6c6365ffa668fdf4dfdb415694f3a4ab21f50dc3db0fac
48ac733e00c61226d506c26f12f6fdec6b67f3dd0a9f3a5dc6720c4096f8c0c8
35b325cf352fc1c4641f90fcc28bda81a4fa020334ba6d1fb71d06cbfc3ddf57
9ea5419cef3eba4b55697a827fa26e74e6fcc5fa4ff013cc97086d5e9e2d3f50
cbe9ac361320c689ea74990eb5b752c63b9bfec9deeb09ce7cfaaafb6baf41ef
d0e75a424812f8b899626795c8b929c40fdcbf09a0b7445d159f82256b896acf
2c9896b3eac1e686a331d810308ef7d7e4f131b764ec1c7c9d1205a79d00073f
2808948b635ccf20d4bf679457e45bfe21a783ec99e095e55382bede47f6579f
1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d
fe4f289171283f597e3bf13a4cc5d2eff0f8606b4afa4db31e2c2ec63842590f
e770d2f423513285e4f7f92dafff648c3ccc9a3623e6134edcd03ac79858d1c8
8ffc2aa27b84ed0736d57be8b45dcc56c817d404b8c4904e795dc51861d281f4
72c40603279789c395054781be9ae0b153ca29ebe3c2f9ff0cb609a603b5c545
a6da6ca04ee56f1e10dc25c07f938300fff7b3c1b50abe925b5f2b10b084216b
22fbefa1416f9ccc38791ac6198123e206f4e5b40590fe928f2a4148542c500c
beb7a3127427fa0560207cdb0becfebb2ed1c6d8dad335d3b3266ec741cdd495
8cbbab0078ffa7583aac63129650635a102ceb458dbc0bddf59758a04bfd5fe2
85104c53c0061dd183981df87ad8744c85d8c8c6f044698a1ed98705edaf4117
d731d91b237184f6dee0cfad065acb770ef904a70b4ca7a625f85d0a474a1714
e84f3f36aa22f8b7f7399ce57c68014ea23140e88755516db02b5e056d18dad6
523cd90154c376b7f6953f1e825eb467b231b3fffe30ab321c1a69da22cb1148
5afd5d949b10aa25737aeaf454ae3ad441311a50d0e8aace71ebec8ffe7118cf
986efaa8bb0469535ddac90dbe8cd3e7cd710e9570e7ff2edda7f82b893baa79
9817f4d8bc1374f102196cfcb8a351abdc0563dea60f6084a7525e5ee5409b6d
c5c3401f71f4361ed454bbd96ea7cdd8a9132a655815e35e207dfff0ea690469
bc37b8380183870ec6acd56886f3ef4537bf63c71935a094307875e03b0d2bb5
613a067be7f86864c48431c6fe36e2cba8ccec593df598f5e3720e283e280a56
94b4b5b599c81c62f2ea6c44530f0058cf7e42c11ab9b6f16fd78bdfe5a5f44c
065a1a3575aac28ccb77e4d00b18907aab16f8432913425ffcde44abf24ef840
81d6f774c002106258af4350818c9c3687185584c59e1a797b4019bd462a086c
e407bd010e2e640169a2812066864cd837b10506f01316dc2cada9ba64d99428
931a185152c1d316cd2b65998aee88d4f64f4acbe59df3efabb0ff968fa6c993
8ae2402f1925ee78bdf48ce3cf3e7eebecaaf26c4a45ccc105d6beb735657f31
f34dd7ec6030b1879d60faa8705fa1668adc210ddd52bcb2b0c2406606c5bccf
c26ce02368f7e800361b6174fb471e5499347e4205b354011908bff9409d2e1e
19c683016b8171a4bdb6c987b2045307289656d2c555d08f14ef6c342dca0ea0
7a2c1437ed5ff19adf078f17881fc836a4b08d3eaaff243d5ca77577f5880169
8b2070fb57b6077848ffcbf2bc39f22e417efe372214d339dfc9460f1ecde920
a4e0fd3483e26b4c0dfda5b2c1cb89571e06a8162e88b8a47a810a4b38934b1f
c263ebdc90fdb0a75d6570f178156c0ba665ac9f846b8172d7835733e5c3de59
bdc7b917477bb49af7a5b06e5d9ed20e08fed25944f297a6b36a50d03d8a5777
a9157bff7034c95796152201796c6f97530e27277429af9ff350ac554bd37939
4d2c2b9bf545415c67feb1dc50f92f629525994b9be6eb65648b16e1694ce864
8d23f5cb10165d0de3300234c684d134b0bded5edcd5f4522dda62b367993080
7305c4bb03ec5c017a4297e7e47d7749e56ca5bb56d3d5399a37cd0ae6b3bfd0
b0aa434206748ac51fa00eaa0269239eee1ee17d47fb862952ac9e13c3cee364
9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642
47cad489ed7b741695a2d2a3c14350078867de45368c94188343c9fb4d79980f
9c46859695bed9bd827e2292e634c39e2982f40d9be6b170d185ae154a1a6a5f
ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d
06363ca6381d7c68f453b58f0566966caa9169c25dea626cfcb7001a3dd7bc5f
b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c
b376d8b2108027a42534314eb5d82a70b06984c7dca8e91df66d00f5c6e91f20
SH256 hash:
1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d
MD5 hash:
4f3ddd6692d604ecf2bd37d93d0f2387
SHA1 hash:
78a00b190d88eaf514b5bf2af754681795de9e44
Link:
https://www.unpac.me/results/d84154f3-f74e-4929-aae4-03c23c25c9c8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3192913/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetWindowsDirectoryW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments