MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d44c1db05b8ef6f956fda08bcd3d9dda6dbebde688a642cde3d5092a4ef8764. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	2d44c1db05b8ef6f956fda08bcd3d9dda6dbebde688a642cde3d5092a4ef8764
SHA3-384 hash:	dec9f6a3db6b06a52543097b693e3a45312627ea59e333ce08f9bc7e40b8434244dbba579e8b07fd78ef9767876d373a
SHA1 hash:	e584f41e99b408083fdf63775e9c0a3b93d0544b
MD5 hash:	96652aadb7c376a9f26774031af48aee
humanhash:	foxtrot-fifteen-twelve-michigan
File name:	96652aadb7c376a9f26774031af48aee.exe
Download:	download sample
Signature	Vidar Create hunting rule
File size:	334'848 bytes
First seen:	2023-11-30 18:59:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	534bfdca31fe91e5b425bdb4dcef0553 (3 x Vidar, 2 x Smoke Loader, 2 x Stealc)
ssdeep	3072:Yut72BcDclsKbyTqTJZ4uFCKPRVpC0zNwQtkUXSAFv9FaS0xZz:1Vwl6KbJ+w/RvC+NqUXnv9F8x
TLSH	T13F64194382E53D55EA258B739F1FC6EC770EF6528E6A7B665128DE1F00B2172C1A3710
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0000142241104205 (1 x Vidar)
Reporter	abuse_ch
Tags:	exe vidar

Intelligence

File Origin

# of uploads :

# of downloads :

288

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/461477/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Сreating synchronization primitives

DNS request

Launching the default Windows debugger (dwwin.exe)

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/2d44c1db05b8ef6f956fda08bcd3d9dda6dbebde688a642cde3d5092a4ef8764

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b2657ba1-0e8a-40ca-ab32-ee3dd771163a

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1350733

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected AntiVM3

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2d44c1db05b8ef6f956fda08bcd3d9dda6dbebde688a642cde3d5092a4ef8764

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2d44c1db05b8ef6f956fda08bcd3d9dda6dbebde688a642cde3d5092a4ef8764/

Threat name:

Win32.Trojan.SmokeLoader

Status:

Malicious

First seen:

2023-11-28 12:44:44 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

29 of 37 (78.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fvcmdwyfxdxw7flp3ielzu6z3wtnx266ncfgilg6hvijfjhpq5sa._file

Verdict:

malicious

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:12c2d61a6798c01d07f5c4638a3ba698 stealer

Link:

https://tria.ge/reports/231130-xm2xdsgd9v/

Behaviour

Modifies system certificate store

Program crash

Vidar

Malware Config

C2 Extraction:

https://t.me/s4p0g
https://steamcommunity.com/profiles/76561199575355834

Unpacked files

SH256 hash:

8207e68e8a9269492006e65d72acafeb0a7266b8df13751f54a793640c6015c3

MD5 hash:

7e1cd675a6888b8ecdac3e56505b923d

SHA1 hash:

6d5419a92d768351010655741dbec64a2970071e

Detections:

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

Link:

https://www.unpac.me/results/13ab6a9b-def7-4216-9e75-40d2d8f039cf/

Parent samples :

5bba4e58542beedcab8f39962a1ff662607d6d1ed9ddf3388815ad0d95f3a29a
1b5b2846fe02fa318dd6f82439d4826948cbfc4d7245a8267ac37605bd094885
cfa7e9a5e2ebccf9086d41007f2612d7aee348f17ff75b0ec093d3f5c5436e6f
543d0a85398762fdf5d155fb14833257aa09fcc86da9e789dffbbdd29ff2240f
2d44c1db05b8ef6f956fda08bcd3d9dda6dbebde688a642cde3d5092a4ef8764

SH256 hash:

2d44c1db05b8ef6f956fda08bcd3d9dda6dbebde688a642cde3d5092a4ef8764

MD5 hash:

96652aadb7c376a9f26774031af48aee

SHA1 hash:

e584f41e99b408083fdf63775e9c0a3b93d0544b

Link:

https://www.unpac.me/results/13ab6a9b-def7-4216-9e75-40d2d8f039cf/

Malware family:

Stealc

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2d44c1db05b8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2d44c1db05b8ef6f956fda08bcd3d9dda6dbebde688a642cde3d5092a4ef8764

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

exe 2d44c1db05b8ef6f956fda08bcd3d9dda6dbebde688a642cde3d5092a4ef8764

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2735975/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/461477/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample