MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36b03249d7ae407da7b955d538e660eae8d3562a091393bb81c5b457ebfe83ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36b03249d7ae407da7b955d538e660eae8d3562a091393bb81c5b457ebfe83ae
SHA3-384 hash: 9191e574b4ec3dc70afe6574dd730f0b8d93fe7352e1ba9bf758635b67a52a8425f5b8439a8bc43e7f32a68efe1fcb4a
SHA1 hash: 0a59ae4e5984474ede5d1f1d24c2c87cf209a419
MD5 hash: 5e1162f753296e6db928f960eb2611aa
humanhash: river-skylark-lake-november
File name:5e1162f753296e6db928f960eb2611aa.msi
Download: download sample
Signature Vidar
Create hunting rule
File size:6'262'784 bytes
First seen:2023-03-04 08:03:33 UTC
Last seen:2023-03-04 09:32:05 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:opYYWkCZCio1gikuxM54j2BhLkltTvxU5tEftkzcy/CEeGfTu3eRY8wn0Kzm:qWhQpbknIXnpmtESzMCuOyx0Ky
Threatray 528 similar samples on MalwareBazaar
TLSH T10F5655D27B84C127C95719354E6793AA6B1DFCD1EA31B0877760F71E5A38AE3AC28301
TrID 98.2% (.MSI) Microsoft Windows Installer (454500/1/170)
1.7% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter abuse_ch
Tags:msi vidar

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection:
BumbleBeeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/371605/
Detection(s):
SecuriteInfo.com.Gen.Variant.Ser.Zusy.4059.24260.28712.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
CAB cmd.exe expand.exe explorer.exe fingerprint greyware installer keylogger packed shell32.dll stealer warp zusy
Link:
https://www.filescan.io/uploads/6402fb74bfec0852a68efeb6/reports/2869587b-88e2-47df-a769-62f4da71e572/overview
Verdict:
Malicious
Labled as:
Trojan.OLE2.Alien
Link:
https://www.hybrid-analysis.com/sample/36b03249d7ae407da7b955d538e660eae8d3562a091393bb81c5b457ebfe83ae
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/36b03249d7ae407da7b955d538e660eae8d3562a091393bb81c5b457ebfe83ae
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1187063
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
DLL side loading technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 819932 Sample: 5vFmrtS9Q3.msi Startdate: 04/03/2023 Architecture: WINDOWS Score: 100 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 Antivirus detection for dropped file 2->54 56 6 other signatures 2->56 8 msiexec.exe 10 17 2->8         started        11 msiexec.exe 5 2->11         started        process3 file4 34 C:\Windows\Installer\MSIE023.tmp, PE32 8->34 dropped 13 msiexec.exe 5 8->13         started        process5 process6 15 Ms Stable.exe 13->15         started        18 expand.exe 268 13->18         started        21 icacls.exe 13->21         started        23 2 other processes 13->23 file7 66 Writes to foreign memory regions 15->66 68 Allocates memory in foreign processes 15->68 70 Injects a PE file into a foreign processes 15->70 25 RegSvcs.exe 15->25         started        30 C:\Users\user\...\Ms Stable.exe (copy), PE32 18->30 dropped 32 C:\...\8cd5e1c28b7ce34791636811572e25c2.tmp, PE32 18->32 dropped signatures8 process9 dnsIp10 44 t.me 149.154.167.99, 443, 49174 TELEGRAMRU United Kingdom 25->44 46 89.40.14.155, 49178, 80 RACKRAYUABRakrejusLT Lithuania 25->46 48 49.12.112.48, 49175, 49177, 80 HETZNER-ASDE Germany 25->48 36 C:\ProgramData\softokn3.dll, PE32 25->36 dropped 38 C:\ProgramData\nss3.dll, PE32 25->38 dropped 40 C:\ProgramData\mozglue.dll, PE32 25->40 dropped 42 3 other files (1 malicious) 25->42 dropped 58 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->58 60 Tries to steal Mail credentials (via file / registry access) 25->60 62 Tries to harvest and steal browser information (history, passwords, etc) 25->62 64 3 other signatures 25->64 file11 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36b03249d7ae407da7b955d538e660eae8d3562a091393bb81c5b457ebfe83ae/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-03-03 21:59:50 UTC
File Type:
Binary (Archive)
Extracted files:
255
AV detection:
8 of 37 (21.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g2ydesoxvzah3j5zkxktrzta5lungvrkbejzho4byw2fp276qoxa._file
Verdict:
malicious
Similar samples:
0fe62bce5fdca99b82bc40a1b6c62413a7738207462bcae6c83dae1da8501b15
Vidar
5a7eee6544891c81cbeb11840147702208d7af4b076aa850e1d0adcfdbcfd338
Vidar
6a617163b5914f23371a4d8cf8c13773fee397e02441b0ce411601fc1ac5f54c
Vidar
733501d537884cca4a051c6669c594411f55c910a4b71a0d31e5c622641b841d
Vidar
807dba280d2922afbdb7334fe3e0a602f59dcf597276c6b4948e8140090bc19b
Vidar
82cc542ba58a3f7f875d765e60bc4829593c15d35f1c619ae08bcabded33808d
Vidar
8b08628b3b7ad95bef5be23120ed741dcfca5d30f0d2dfdf83166b94c56f15d1
Vidar
b5b6c61866f1fa1ac5dfb9c2e93888ba463c56d39d535576f46eefac70a4e5d6
Vidar
c751b386ba177fa63844bee350b500cd85b6c745266646f49955b8f5925ff637
Vidar
+ 518 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar discovery spyware stealer
Link:
https://tria.ge/reports/230304-jx94vsdc99/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Vidar
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/36b03249d7ae/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.34
Link:
https://yomi.yoroi.company/submissions/36b03249d7ae407da7b955d538e660eae8d3562a091393bb81c5b457ebfe83ae

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/371605/

Comments