MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28c2e53d3c42ec59ffb971a46d10bf54f29917e9e32af1d7a76956045726c5e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 11

Intelligence 11 IOCs YARA 12 File information Comments

SHA256 hash:	28c2e53d3c42ec59ffb971a46d10bf54f29917e9e32af1d7a76956045726c5e6
SHA3-384 hash:	1b85c0f690873dd58d3d3de78afe0486245bc7571822b272ef2f9522d0862e82d85625fc7400e6497c352a4cfefc318c
SHA1 hash:	799759a1630d58dec2f03bc898deb34b90972005
MD5 hash:	c0820a2d4e1c83bd612564dbe6a614cb
humanhash:	wolfram-angel-lion-solar
File name:	file
Download:	download sample
Signature	Vidar Create hunting rule
File size:	231'936 bytes
First seen:	2024-02-29 14:46:19 UTC
Last seen:	2024-02-29 16:23:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	535a2920d83fb0f06dbce1a89d4f2441 (1 x Vidar)
ssdeep	3072:uNVZG1z1E9/n6+wLgWPHqwUSrV+oBpiPMijLt8TjXu67QUUeDULZIcnbjsq:QGl1E7NQHcKPeMijLt8TnQUhuISsq
Threatray	37 similar samples on MalwareBazaar
TLSH	T11334DF2136E1C433D0AF0A3569B482B57A7FB8711BA441DBB7B8273A2F316D04A35767
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 15.9% (.EXE) Win32 Executable (generic) (4504/4/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	64d29a9889b9b989 (1 x Vidar, 1 x Glupteba)
Reporter	Bitsight
Tags:	exe vidar

Bitsight

url: https://vk.com/doc329118071_675421463?hash=Z68dGlG4gA8A9CQXP7Z96srJddlMVF7VmQkawyznK64&dl=K3VxTtGXzncARzg41Wg5XNePmRvzx7mBflZuE7eviVz&api=1&no_preview=1#gt

Intelligence

File Origin

# of uploads :

# of downloads :

365

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.11305.5882.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

fingerprint packed vidar

Link:

https://www.filescan.io/uploads/65e098eb53c8f1aac459420c/reports/319ca017-5550-44f8-8934-ca38a543d85e/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/28c2e53d3c42ec59ffb971a46d10bf54f29917e9e32af1d7a76956045726c5e6

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/585f83a2-73a8-491e-b95d-20093b81b4d0

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1400965

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Searches for specific processes (likely to inject)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected AntiVM3

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/28c2e53d3c42ec59ffb971a46d10bf54f29917e9e32af1d7a76956045726c5e6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/28c2e53d3c42ec59ffb971a46d10bf54f29917e9e32af1d7a76956045726c5e6/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2024-02-29 14:47:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fdbokpj4ilwft75zogsg2ef7ktzjsf7j4mvpdv5hnflaivzgyxta._file

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:b8a5ebfe4a0abceff8d2cd1a6c6c4024 stealer

Link:

https://tria.ge/reports/240229-r5vm5scf83/

Behaviour

Modifies system certificate store

Program crash

Detect Vidar Stealer

Vidar

Malware Config

C2 Extraction:

https://steamcommunity.com/profiles/76561199644883218
https://t.me/neoschats

Unpacked files

SH256 hash:

617932fa32314688174aaccca724492e5106c6a2cd3460de991a9b6669e23eaa

MD5 hash:

64be4169f79475fd2b2f42d6a02749be

SHA1 hash:

20fa348c71aa7272d157b5c44e559190b4571662

Detections:

VidarStealer

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

Link:

https://www.unpac.me/results/179d8169-8039-4e1f-a0f2-c9ee73f8073b/

Parent samples :

17bf11baccfc41056deed1f7658ca2183c34cff636c9372b1ecb812cdb4efea2
65429cc8e058b11f92e4fe5f36528aef791097679d0984b977f47c6ef936ad64
b1e5bd12279ecaf63aa22e082d6e833d8137d35ee32f87d2798e30e51a91367c
81325d0c1a73cad7402d2020c15304cba466ecc7919061cd16762f655019c038
74c513cfcefe956a1ebe5c7196d31319580523c277333b59816ed48456ed75b5
aec37f0045fb7091d04f8eedd38d171debaec8225d344a8050cea1c31b435e74
744297bcd2d98c191d2263429548c914851928288d74cf65965c30c8d261ce4f
a183934f8e5161ab94c2bd78598b6138b3990a3a2c55b82fa5a7137be3cf6f72
28c2e53d3c42ec59ffb971a46d10bf54f29917e9e32af1d7a76956045726c5e6

SH256 hash:

28c2e53d3c42ec59ffb971a46d10bf54f29917e9e32af1d7a76956045726c5e6

MD5 hash:

c0820a2d4e1c83bd612564dbe6a614cb

SHA1 hash:

799759a1630d58dec2f03bc898deb34b90972005

Link:

https://www.unpac.me/results/179d8169-8039-4e1f-a0f2-c9ee73f8073b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/28c2e53d3c42ec59ffb971a46d10bf54f29917e9e32af1d7a76956045726c5e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_Dlls Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	has_telegram_urls Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	QbotStuff Create hunting rule
Author:	anonymous

Rule name:	Windows_Generic_Threat_c374cd85 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

exe 28c2e53d3c42ec59ffb971a46d10bf54f29917e9e32af1d7a76956045726c5e6

(this sample)

Dropped by

Privateloader

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2771729/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample