MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1db0b59b7d436ea6160df9ca561543ea77cf6243fcf21a46282852d67421da7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1db0b59b7d436ea6160df9ca561543ea77cf6243fcf21a46282852d67421da7e
SHA3-384 hash: fd6146212dcfca6880e34383c7e2748da3d1365affd1fc7c4e9d76927525cb4b9fbd4c405537b7a7f1611643a3a9bb2a
SHA1 hash: e24d13f1571fdf8901f6614bbcf8fb906c75978c
MD5 hash: 2abef52a1ac1705dccb5ac0978f2e7a4
humanhash: lake-seven-snake-lake
File name:file
Download: download sample
Signature Vidar
Create hunting rule
File size:161'280 bytes
First seen:2023-11-05 15:50:33 UTC
Last seen:2023-11-06 04:27:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 3072:jmrgsbFpz956vK5JzM4vPxAyE3KNAV5WTBbwKcbywfm7o8HS+:QgCB9cv6dMpymKNAV5U7cbyOm7o8H
TLSH T142F3F120E3F09144D9FA0B79A6F62580D33A39775B57D709CD8961CA286ABB3C6C0F13
TrID 30.6% (.SCR) Windows screen saver (13097/50/3)
24.5% (.EXE) Win64 Executable (generic) (10523/12/4)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win32 Executable (generic) (4505/5/1)
4.8% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter andretavare5
Tags:exe vidar


Avatar
andretavare5
Sample downloaded from http://171.22.28.221/files/Ads.exe

Intelligence

File Origin
# of uploads :
21
# of downloads :
397
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/458104/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.18117.28169.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Connecting to a non-recommended domain
Sending an HTTP GET request
Creating a process from a recently created file
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Blocking the User Account Control
Query of malicious DNS domain
Sending a TCP request to an infection source
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6547b9e7e0edd2ae550a0219/reports/c6b7aa86-03c7-41a7-8965-f640117cef1e/overview
Verdict:
Malicious
Labled as:
Trojan.Mardom.IN.Generic
Link:
https://www.hybrid-analysis.com/sample/1db0b59b7d436ea6160df9ca561543ea77cf6243fcf21a46282852d67421da7e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Upgdsed
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/20e7f3ef-7b8c-43f1-9a40-f3369a22c116
Result
Threat name:
Glupteba, Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1337274
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found evasive API chain checking for user administrative privileges
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1337274 Sample: file.exe Startdate: 05/11/2023 Architecture: WINDOWS Score: 100 151 Multi AV Scanner detection for domain / URL 2->151 153 Found malware configuration 2->153 155 Malicious sample detected (through community Yara rule) 2->155 157 18 other signatures 2->157 9 file.exe 2 4 2->9         started        12 svchost.exe 2->12         started        14 svchost.exe 1 1 2->14         started        process3 dnsIp4 191 Adds a directory exclusion to Windows Defender 9->191 193 Disables UAC (registry) 9->193 17 CasPol.exe 15 502 9->17         started        22 powershell.exe 22 9->22         started        24 WerFault.exe 12->24         started        26 WerFault.exe 12->26         started        28 WerFault.exe 12->28         started        30 WerFault.exe 12->30         started        147 69.192.108.161 AKAMAI-ASUS United States 14->147 149 127.0.0.1 unknown unknown 14->149 signatures5 process6 dnsIp7 137 80.66.64.20 VAD-SRL-AS1MD Russian Federation 17->137 139 5.42.67.10 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 17->139 141 14 other IPs or domains 17->141 91 C:\Users\...\zE05vikcmVM50euE8veR46SX.exe, PE32 17->91 dropped 93 C:\Users\...\yp4PnFUuu6g4gm6s60JeJwGf.exe, PE32 17->93 dropped 95 C:\Users\...\yVt8pAW8BNdgFDw95gA9zFk2.exe, PE32 17->95 dropped 97 285 other malicious files 17->97 dropped 185 Drops script or batch files to the startup folder 17->185 187 Creates HTML files with .exe extension (expired dropper behavior) 17->187 189 Writes many files with high entropy 17->189 32 WtLfentIwD2rHBsJVhwDy8pD.exe 17->32         started        37 IY58kqm2DNqnNzRlYmi1lC5i.exe 17->37         started        39 X0BsrcvpEPaEMDbc549IBslO.exe 17->39         started        43 13 other processes 17->43 41 conhost.exe 22->41         started        file8 signatures9 process10 dnsIp11 123 107.167.110.211 OPERASOFTWAREUS United States 32->123 125 107.167.110.218 OPERASOFTWAREUS United States 32->125 135 6 other IPs or domains 32->135 73 Opera_installer_2311051552014597040.dll, PE32 32->73 dropped 75 C:\Users\user\AppData\Local\...\opera_package, PE32 32->75 dropped 85 5 other malicious files 32->85 dropped 159 Found many strings related to Crypto-Wallets (likely being stolen) 32->159 161 Writes many files with high entropy 32->161 163 Found evasive API chain checking for user administrative privileges 32->163 45 WtLfentIwD2rHBsJVhwDy8pD.exe 32->45         started        48 WtLfentIwD2rHBsJVhwDy8pD.exe 32->48         started        50 WtLfentIwD2rHBsJVhwDy8pD.exe 32->50         started        77 C:\Users\user\AppData\Local\...\is-N2K19.tmp, PE32 37->77 dropped 52 is-N2K19.tmp 37->52         started        127 5.182.38.138 VMAGE-ASRU Russian Federation 39->127 129 149.154.167.99 TELEGRAMRU United Kingdom 39->129 131 195.201.34.151 HETZNER-ASDE Germany 39->131 87 6 other files (4 malicious) 39->87 dropped 165 Detected unpacking (changes PE section rights) 39->165 167 Detected unpacking (overwrites its own PE header) 39->167 169 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 39->169 177 2 other signatures 39->177 133 172.67.222.167 CLOUDFLARENETUS United States 43->133 79 C:\Users\user\AppData\Local\Temp\Broom.exe, PE32 43->79 dropped 81 C:\Users\user\AppData\Local\...\Install.exe, PE32 43->81 dropped 83 C:\Users\user\AppData\Local\...\Install.exe, PE32 43->83 dropped 89 2 other malicious files 43->89 dropped 171 Found Tor onion address 43->171 173 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 43->173 175 Writes to foreign memory regions 43->175 179 2 other signatures 43->179 54 Install.exe 43->54         started        56 AppLaunch.exe 43->56         started        58 WerFault.exe 43->58         started        61 4 other processes 43->61 file12 signatures13 process14 dnsIp15 99 Opera_installer_2311051552041837544.dll, PE32 45->99 dropped 113 21 other malicious files 45->113 dropped 63 WtLfentIwD2rHBsJVhwDy8pD.exe 45->63         started        101 Opera_installer_2311051552020567216.dll, PE32 48->101 dropped 103 Opera_installer_2311051552027197348.dll, PE32 50->103 dropped 105 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 52->105 dropped 107 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 52->107 dropped 109 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 52->109 dropped 115 24 other files (23 malicious) 52->115 dropped 111 C:\Users\user\AppData\Local\...\Install.exe, PE32 54->111 dropped 66 Install.exe 54->66         started        69 dialer.exe 56->69         started        71 WerFault.exe 56->71         started        143 20.42.65.92 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 58->143 145 13.89.179.12 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 61->145 file16 process17 file18 117 Opera_installer_2311051552049157648.dll, PE32 63->117 dropped 119 C:\Users\user\AppData\Local\...\xxeWTgv.exe, PE32 66->119 dropped 121 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 66->121 dropped 181 Modifies Group Policy settings 66->181 183 Checks if the current machine is a virtual machine (disk enumeration) 69->183 signatures19
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1db0b59b7d436ea6160df9ca561543ea77cf6243fcf21a46282852d67421da7e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1db0b59b7d436ea6160df9ca561543ea77cf6243fcf21a46282852d67421da7e/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-11-05 15:51:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dwyllg35inxkmfqn7hffmfkd5j346ysd7tzburrifbjnm5bb3j7a._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:vidar botnet:8036442451e00fa27a235c4a80cbfb3c discovery dropper evasion loader persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/231105-tagh5sgd51/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Stops running service(s)
Modifies boot configuration data using bcdedit
Glupteba
Glupteba payload
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
Vidar
Windows security bypass
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199566884947
https://t.me/octobrains
Unpacked files
SH256 hash:
9f0595233b5eacb68d34b3ea528a37036f384df9d6cf0fe0989c0f1781c5a7a2
MD5 hash:
b07f4d6cc6c892c968f1bfb2b5138d69
SHA1 hash:
7adf3a0e4a12a63fa1e88e0f6b17ea684e04808a
Link:
https://www.unpac.me/results/59f15b31-f717-42a2-bcba-9b5409a262c5/
SH256 hash:
1db0b59b7d436ea6160df9ca561543ea77cf6243fcf21a46282852d67421da7e
MD5 hash:
2abef52a1ac1705dccb5ac0978f2e7a4
SHA1 hash:
e24d13f1571fdf8901f6614bbcf8fb906c75978c
Link:
https://www.unpac.me/results/59f15b31-f717-42a2-bcba-9b5409a262c5/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1db0b59b7d43/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.98
Link:
https://yomi.yoroi.company/submissions/1db0b59b7d436ea6160df9ca561543ea77cf6243fcf21a46282852d67421da7e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/458104/
  
URLhaus
https://urlhaus.abuse.ch/url/2721934/

Comments