MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23076d148144e0ca92d69bf92edd6cd8b4cc99749c3d50f3af0ab05c58a2efe7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 23076d148144e0ca92d69bf92edd6cd8b4cc99749c3d50f3af0ab05c58a2efe7
SHA3-384 hash: 0a7ad7fa5f2cf3941412266c1d0800bd45fe0791c6d4e097be262e926e92f55224110c038ce25f94272843783ec3dfc8
SHA1 hash: 26229f33d8e8553f7698be31698880e4bafac554
MD5 hash: ddd5f9207c5d8c147aea77f8d9e77e22
humanhash: potato-idaho-nebraska-robin
File name:file
Download: download sample
File size:562'176 bytes
First seen:2025-05-02 19:22:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b23510932b3d0f63aae2b8be70a1f033 (16 x LummaStealer, 3 x Vidar, 2 x XWorm)
ssdeep 12288:yYuste6MiSbVFs2fu6pB2PD/oRIl0r/zHiJvvhGzzHiJvvhG:yYuste6M3bVFs2fu6fS0CJwCJ
Threatray 81 similar samples on MalwareBazaar
TLSH T141C4E019A39244EAFE6781BE89A05114B5737922C328DFFF5290D3372E037D05EBA725
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter jstrosch
Tags:exe X64


Avatar
jstrosch
Found at hxxp://94.26.90[.]80/VisualCode.exe by #subcrawl

Intelligence

File Origin
# of uploads :
1
# of downloads :
438
Origin country :
CA CA
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.27379.3731.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6814e3174355f44aee6874ee
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
microsoft_visual_cc packed packed packer_detected vidar
Link:
https://www.filescan.io/uploads/68151b9dc7418694c8a4a21d/reports/51b41a86-b274-4f18-9ca1-60d6efcbda12/overview
Verdict:
Malicious
Labled as:
Midie.Generic
Link:
https://www.hybrid-analysis.com/sample/23076d148144e0ca92d69bf92edd6cd8b4cc99749c3d50f3af0ab05c58a2efe7
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3092a395-970e-4da8-997f-c39289bbf7ad
Result
Threat name:
LummaC Stealer, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1680206
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Monitors registry run keys for changes
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Writes to foreign memory regions
Yara detected LummaC Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1680206 Sample: file.exe Startdate: 02/05/2025 Architecture: WINDOWS Score: 100 56 itsrevolutionmagnus.xyz 2->56 58 scriptao.digital 2->58 60 14 other IPs or domains 2->60 106 Suricata IDS alerts for network traffic 2->106 108 Found malware configuration 2->108 110 Malicious sample detected (through community Yara rule) 2->110 114 9 other signatures 2->114 9 file.exe 2->9         started        12 msedge.exe 113 629 2->12         started        signatures3 112 Performs DNS queries to domains with low reputation 56->112 process4 dnsIp5 124 Contains functionality to inject code into remote processes 9->124 126 Writes to foreign memory regions 9->126 128 Allocates memory in foreign processes 9->128 130 Injects a PE file into a foreign processes 9->130 15 MSBuild.exe 30 9->15         started        20 MSBuild.exe 9->20         started        74 192.168.2.11 unknown unknown 12->74 76 192.168.2.24 unknown unknown 12->76 78 2 other IPs or domains 12->78 132 Maps a DLL or memory area into another process 12->132 22 msedge.exe 12->22         started        24 msedge.exe 12->24         started        26 msedge.exe 12->26         started        28 3 other processes 12->28 signatures6 process7 dnsIp8 80 94.26.90.80, 49792, 80 ASDETUKhttpwwwheficedcomGB Bulgaria 15->80 82 t.me 149.154.167.99, 443, 49690 TELEGRAMRU United Kingdom 15->82 88 2 other IPs or domains 15->88 46 C:\ProgramData\kxt2v3e3wt.exe, PE32+ 15->46 dropped 48 C:\Users\user\AppData\Local\...\Shtray[1].exe, PE32 15->48 dropped 50 C:\Users\user\AppData\...\LiseJackes[1].exe, PE32+ 15->50 dropped 52 C:\ProgramData\s2djmg4wln.exe, PE32 15->52 dropped 92 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->92 94 Found many strings related to Crypto-Wallets (likely being stolen) 15->94 96 Tries to harvest and steal ftp login credentials 15->96 104 3 other signatures 15->104 30 kxt2v3e3wt.exe 15->30         started        33 msedge.exe 2 9 15->33         started        35 chrome.exe 15->35         started        98 Attempt to bypass Chrome Application-Bound Encryption 20->98 100 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->100 102 Searches for specific processes (likely to inject) 20->102 84 s-part-0043.t-0009.t-msedge.net 13.107.246.71, 443, 49739, 49777 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->84 86 ax-0001.ax-msedge.net 150.171.27.10, 443, 49751 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->86 90 27 other IPs or domains 22->90 54 C:\Users\user\AppData\Local\...\Cookies, SQLite 22->54 dropped file9 signatures10 process11 dnsIp12 134 Writes to foreign memory regions 30->134 136 Allocates memory in foreign processes 30->136 138 Injects a PE file into a foreign processes 30->138 38 MSBuild.exe 30->38         started        140 Monitors registry run keys for changes 33->140 42 msedge.exe 33->42         started        62 192.168.2.6, 138, 443, 49562 unknown unknown 35->62 44 chrome.exe 35->44         started        signatures13 process14 dnsIp15 64 steamcommunity.com 23.52.218.12, 443, 49803 TelecentroSAAR United States 38->64 66 dogalmedical.org 104.21.68.7, 443, 49804, 49805 CLOUDFLARENETUS United States 38->66 116 Query firmware table information (likely to detect VMs) 38->116 118 Tries to harvest and steal ftp login credentials 38->118 120 Tries to harvest and steal browser information (history, passwords, etc) 38->120 122 2 other signatures 38->122 68 ogads-pa.clients6.google.com 142.250.69.10, 443, 49722, 49724 GOOGLEUS United States 44->68 70 www.google.com 142.250.69.4, 443, 49707, 49710 GOOGLEUS United States 44->70 72 3 other IPs or domains 44->72 signatures16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/23076d148144e0ca92d69bf92edd6cd8b4cc99749c3d50f3af0ab05c58a2efe7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/23076d148144e0ca92d69bf92edd6cd8b4cc99749c3d50f3af0ab05c58a2efe7/
Threat name:
Win64.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-05-02 05:00:41 UTC
File Type:
PE+ (Exe)
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=emdw2febitqmvewwtp4s5xlm3c2mzglutq6vb45pbkyfywfc57tq._file
Verdict:
malicious
Label(s):
vidar
Create hunting rule
Similar samples:
1607f4c2da90691381b6304286e6c95e300495ff3cc2ca22c02dc7a3bc128999
69010ed954490a3e7496b24010bc6f6e8cba388701fc0c5a0fc2211948e59fbe
7183b73488a0f02d00f496bd9d7b2115cdb6279c9de51cf7fc0e93fe96a202a5
a2f4ba47ce49e4fd29fb4a9122f9cdb33f99ad902ac8d84be494bfa9f7ea5e07
e29a3db17025e34336b10d36e5dd59ff5d1ac07ada8df0cddba0d3f3db689f65
error
+ 71 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:lumma family:njrat family:quasar family:vidar botnet:158fdd2a4f5abb978509580715e5353f botnet:default botnet:edge botnet:user credential_access defense_evasion discovery persistence rat spyware stealer themida trojan
Link:
https://tria.ge/reports/250502-x3twqawmx6/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Themida packer
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Uses browser remote debugging
Async RAT payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
AsyncRat
Asyncrat family
Detect Vidar Stealer
Lumma Stealer, LummaC
Lumma family
Njrat family
Quasar RAT
Quasar family
Quasar payload
Vidar
Vidar family
njRAT/Bladabindi
Malware Config
C2 Extraction:
https://t.me/m00f3r
https://steamcommunity.com/profiles/76561199851454339
https://wscriptao.digital/vpep
https://pbrandihx.run/lowp
https://viriatoe.live/laopx
https://exitiumt.digital/xane
https://opusculy.top/keaj
https://civitasu.run/werrp
https://scriptao.digital/vpep
https://praetori.live/vepr
https://disciplipna.top/eqwu
94.26.90.81:4441
94.26.90.81:7773
94.26.90.81:5437
Verdict:
Suspicious
Tags:
stealc
YARA:
n/a
Link:
https://app.threat.zone/submission/10551c50-6e2e-40c5-bb8b-e46aa6723987
Unpacked files
SH256 hash:
23076d148144e0ca92d69bf92edd6cd8b4cc99749c3d50f3af0ab05c58a2efe7
MD5 hash:
ddd5f9207c5d8c147aea77f8d9e77e22
SHA1 hash:
26229f33d8e8553f7698be31698880e4bafac554
Link:
https://www.unpac.me/results/958b246a-6e8b-4c5b-8531-0ff80be785f2/
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/23076d148144/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/23076d148144e0ca92d69bf92edd6cd8b4cc99749c3d50f3af0ab05c58a2efe7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 23076d148144e0ca92d69bf92edd6cd8b4cc99749c3d50f3af0ab05c58a2efe7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3527463/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW

Comments