MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34f355d0ad2c3fc9b79bbf8ca01e658c59b4609c3ba91f89ea2fb7766299a7fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	34f355d0ad2c3fc9b79bbf8ca01e658c59b4609c3ba91f89ea2fb7766299a7fd
SHA3-384 hash:	af5cb2bb95b37914eec61af49c93ae684dc54e43717a387c42c64fe269fd19e002159755213bd4aa3ce29fa41c644f16
SHA1 hash:	fd9f76567997da7f703e4384cc869ae25a4643e0
MD5 hash:	c9eff7064828ed6307c80cfc1a12bdc7
humanhash:	double-fix-beryllium-orange
File name:	Unlimited-main.zip
Download:	download sample
Signature	Vidar Create hunting rule
File size:	7'976'645 bytes
First seen:	2023-02-14 17:15:47 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
Note:	This file is a password protected archive. The password is: 1234
ssdeep	196608:4FuIb8H3GaXD2gjWawDtZqz1pmmmcboiF1oGjmgl6Oo/Tv5Xmul:Do23iBpsam4iLoGjmE6OITR5l
TLSH	T12586330985597C898E9E32E4D4AE1873739517B1BEAAC3A38F87F3B10F107594EC94B1
TrID	80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	tcains1
Tags:	file-pumped pw-1234 vidar zip

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file is a password protected archive. The password is: 1234

This file archive contains 16 file(s), sorted by their relevance:

File name:	msoobeFirstLogonAnim.dll.mui
File size:	6'144 bytes
SHA256 hash:	75b3420a30fa63390c60a85e12662737fec031e5040a40a08aa664139665b0e7
MD5 hash:	3e2ce10c3308b20a903ef0d3fcda687e
MIME type:	application/x-dosexec
Signature	Vidar

File name:	wbemess.dll
File size:	514'560 bytes
SHA256 hash:	331708bf8b09e72bf158ce782724ebe448cad19f47be0918a531c4950f0c933d
MD5 hash:	dbc3853c980c44d89e63df0c760fd75f
MIME type:	application/x-dosexec
Signature	Vidar

File name:	libpng16-16.dll
File size:	241'224 bytes
SHA256 hash:	d7d9d3f584067414f4196b5ff1ee9aff2eafbf3a686340ae18e5dc9ea7c1aaef
MD5 hash:	7e82a150c75c5b30dc82d35af29b8387
MIME type:	application/x-dosexec
Signature	Vidar

File name:	string.txt
File size:	3'148 bytes
SHA256 hash:	6d3b1176d557366c97164e4f7e46dfa7fc4a9617b4988552aa5162f03d749556
MD5 hash:	7bc8525e6216f68578cb914f46f9cc15
MIME type:	application/octet-stream
Signature	Vidar

File name:	msoobedui.dll.mui
File size:	20'992 bytes
SHA256 hash:	6122ba705f2af89f52a7c4e826f7f31d13bc2c8f6c4bc1d1f13a0ba30909172c
MD5 hash:	bb42f7c915ca198fbaf71c125e6968a2
MIME type:	application/x-dosexec
Signature	Vidar

File name:	migstore.dll
File size:	1'238'368 bytes
SHA256 hash:	acb06cf520fa85c3929645c88d99ceb454bad6a9cb9642097b4b9b8a3504d4bf
MD5 hash:	6edfa6fee4f91d989f0c95add39013f4
MIME type:	application/x-dosexec
Signature	Vidar

File name:	XblAuthManager.dll
File size:	1'049'088 bytes
SHA256 hash:	1a5dce5775cd0a511f0edcb23669525590f0f94455c567ddb76dd15c8f25d347
MD5 hash:	b62c41e672194a919028786e4a480541
MIME type:	application/x-dosexec
Signature	Vidar

File name:	MapRouter.dll
File size:	3'182'080 bytes
SHA256 hash:	81f1badd9345f296ae34809bc745ca4dfcde1def0dfd317076d5340981b5fb94
MD5 hash:	ed462036b7ec9d6d9d668f0f51443319
MIME type:	application/x-dosexec
Signature	Vidar

File name:	xpsservices.dll
File size:	2'844'672 bytes
SHA256 hash:	f267f96958f02f26ccc06ffb3208c68fc6211093772c6b0796c4eed40642aa9a
MD5 hash:	f4e34ee10dc65ae33627a929f2a19e1c
MIME type:	application/x-dosexec
Signature	Vidar

File name:	MSVidCtl.dll
File size:	3'452'416 bytes
SHA256 hash:	6679297f7e7f17ef37f48fa25f070d78e76324d167aa8b961d85327321e58754
MD5 hash:	6a93c400f7d5bcf8799c0506531f7d12
MIME type:	application/x-dosexec
Signature	Vidar

File name:	Readme.txt
File size:	236 bytes
SHA256 hash:	a8763851272382ab6e9e01fa86e4cae32dd211b705f92772c4a0903a645ee042
MD5 hash:	e76af5bfc53c19faa4b23680f3bd337e
MIME type:	text/plain
Signature	Vidar

File name:	audit.exe.mui
File size:	4'096 bytes
SHA256 hash:	fefb48f24b49a3d53c05cd995857d9305d70e91f3c14661fe24ebe3b5f1b8d3f
MD5 hash:	7b24d9094c5e280339308c3c07f590c4
MIME type:	application/x-dosexec
Signature	Vidar

File name:	wmipdfs.dll
File size:	65'024 bytes
SHA256 hash:	fcf8e0e938098290995df1e96288d2c213b66302532d0f30ce657ed06e2690f0
MD5 hash:	feb31a8da6cd33f8fe828fd3271d5a99
MIME type:	application/x-dosexec
Signature	Vidar

File name:	winsetup.dll
File size:	3'689'288 bytes
SHA256 hash:	2b40132fa4e1c3de5e70d57935e2c99de437f69ae934a70243dae9a0ce3ca6c2
MD5 hash:	b6a2e94c56a141b004e400358e72ce79
MIME type:	application/x-dosexec
Signature	Vidar

File name:	XpsPrint.dll
File size:	1'514'496 bytes
SHA256 hash:	4eea5be064a0be852df48e71f5b091497b949b8be26decf27321f15272f2f2be
MD5 hash:	952599e3d3f8ef464fdef1242c339f07
MIME type:	application/x-dosexec
Signature	Vidar

File name:	Setup_x64b.exe
Pumped file	This file is pumped. MalwareBazaar has de-pumped it.
File size:	750'649'776 bytes
SHA256 hash:	b3b8363fc81a9b78fa9619853fe7eea6990c34b23fe4210e482dcc23f4b4728d
MD5 hash:	8681fac0b37950d4a677a98bc9639c4c
De-pumped file size:	688'128 bytes (Vs. original size of 750'649'776 bytes)
De-pumped SHA256 hash:	6f8c5269ce2ba1e2baa595221a138240040aadf80c8819380563a72a3b7e024b
De-pumped MD5 hash:	a0319593f9a9c7e90f32e2ee405b415a
MIME type:	application/x-dosexec
Signature	Vidar

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.HEUR.Trojan.MSIL.Crypt.gen.17816.23975.UNOFFICIAL

Verdict:

No Threat

Threat level:

10/10

Confidence:

67%

Link:

https://www.filescan.io/uploads/63ebc1d46ea97adc8fc211cc/reports/4f946e29-8d42-4e59-a1dd-c06d873570af/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/34f355d0ad2c3fc9b79bbf8ca01e658c59b4609c3ba91f89ea2fb7766299a7fd

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/34f355d0ad2c3fc9b79bbf8ca01e658c59b4609c3ba91f89ea2fb7766299a7fd/

Threat name:

ByteCode-MSIL.Packed.Generic

Status:

Suspicious

First seen:

2023-02-14 17:18:53 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

4 of 26 (15.38%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gtzvlufnfq74tn43x6gkahtfrrm3iye4hour7cpkf63xmyuzu76q._file

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:713 persistence spyware stealer

Link:

https://tria.ge/reports/230214-wvwjxaee9t/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Vidar

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/34f355d0ad2c3fc9b79bbf8ca01e658c59b4609c3ba91f89ea2fb7766299a7fd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

zip 34f355d0ad2c3fc9b79bbf8ca01e658c59b4609c3ba91f89ea2fb7766299a7fd

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2540034/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample