MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36de150cba3d3477191cbe04958e9f887725df1e2e21a92cb18887620238dea2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	36de150cba3d3477191cbe04958e9f887725df1e2e21a92cb18887620238dea2
SHA3-384 hash:	2a4fe910ebbffe974659d7a13f5385faa78b357fa8caf8bd5864d53663a30e4088188bc0eb2f9d5e97c18aa0f577815f
SHA1 hash:	378e60eee98c8407808c05561b144537d0b22731
MD5 hash:	c06097200ce77e7d68dc2ca18b183096
humanhash:	double-princess-bluebird-nevada
File name:	file
Download:	download sample
Signature	Vidar Create hunting rule
File size:	2'330'112 bytes
First seen:	2023-04-15 09:24:06 UTC
Last seen:	2023-04-16 06:30:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a56f115ee5ef2625bd949acaeec66b76 (53 x Stealc, 47 x PureHVNC, 31 x CoinMiner)
ssdeep	49152:MqfnQVsS7590/aJKx0Wp8BKgZsj8oZ703EPaaX8nlRMAEL:MqfQjN90/eKuWp8WfZY3naXiMl
Threatray	148 similar samples on MalwareBazaar
TLSH	T1EFB52362BE59D539CDAAC977EA5F42F30FE19CD1C54A706332DCBF2A28F61218004766
TrID	38.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 15.6% (.ICL) Windows Icons Library (generic) (2059/9) 15.4% (.EXE) OS/2 Executable (generic) (2029/13) 15.2% (.EXE) Generic Win/DOS Executable (2002/3) 15.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	e0d0744ce4248810 (1 x Vidar)
Reporter	andretavare5
Tags:	exe vidar

andretavare5

Sample downloaded from https://cdn.discordapp.com/attachments/1093445815051227229/1096727224318705744/vdr.exe

Intelligence

File Origin

# of uploads :

# of downloads :

262

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-04-15 09:24:45 UTC

Tags:

stealer

Link:

https://app.any.run/tasks/f2acd5d8-fe06-4659-ace9-cbab18cb31ea

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/382399/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Generic.23384.27968.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Searching for analyzing tools

Creating a window

Launching a process

Creating a file

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Reading critical registry keys

Using the Windows Management Instrumentation requests

Creating a process from a recently created file

Running batch commands

Creating a process with a hidden window

Creating a file in the %AppData% subdirectories

Forced shutdown of a system process

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed packed

Link:

https://www.filescan.io/uploads/643a6d70f4a1f6ede14ede7b/reports/03c40e2c-bf55-4ea3-b2ed-485ef1b8d401/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/36de150cba3d3477191cbe04958e9f887725df1e2e21a92cb18887620238dea2

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/99e4e033-83b3-4878-ab5d-4c93008009fa

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1214301

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Snort IDS alert for network traffic

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/36de150cba3d3477191cbe04958e9f887725df1e2e21a92cb18887620238dea2/

Threat name:

Win64.Trojan.Privateloader

Status:

Malicious

First seen:

2023-04-15 09:25:10 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=g3pbkdf2hu2hogi4xycjldu7rb3slxy6fyq2slfrrcdweary32ra._file

Verdict:

unknown

Vidar

193351df6e24e833b30dcfc1dc3be94882c33a79e5bf8a6d76f51256d4b090d5

Vidar

296e195f7896d20af579930d9bc481bc9d651e79480399c071531417bfede4a7

Vidar

3838e7c40562f66dd304227e311eeb51dd9c2981a4e5c54da4789e6fcbb06f5d

Vidar

77109a0bbb0d37926a327f63491d41be714c6fbed0a3ea4e5565e1349120d9a3

Vidar

7e481ee40af6227bc65f7334cffa28ef661ab49cb800ce383aed1cec82515ae5

Vidar

97df47266aba1d8e7c70c88c8bf0851a53579dfac7d2bb6545ca85e809bbf1c6

Vidar

ca0c0ca69ece78e8d1dcb7b1064a8d76a95a50025b2ea82d907dd9e27b532b8d

Vidar

e3b0a6b1e8aa4cc6407d49b2bc8607549fc5b25cd2b11fc66a41127266c3ca47

Vidar

+ 138 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:76b614a229b9a88f7d0ba57796ab0fc2 evasion spyware stealer themida trojan

Link:

https://tria.ge/reports/230415-ldl9ssdf58/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Checks BIOS information in registry

Loads dropped DLL

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Vidar

Malware Config

C2 Extraction:

https://steamcommunity.com/profiles/76561199494593681
https://t.me/auftriebs

Unpacked files

SH256 hash:

36de150cba3d3477191cbe04958e9f887725df1e2e21a92cb18887620238dea2

MD5 hash:

c06097200ce77e7d68dc2ca18b183096

SHA1 hash:

378e60eee98c8407808c05561b144537d0b22731

Link:

https://www.unpac.me/results/9a802b81-2a58-4520-af3e-20cdf193c56a/

Malware family:

Vidar.A

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/36de150cba3d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/36de150cba3d3477191cbe04958e9f887725df1e2e21a92cb18887620238dea2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/382399/

URLhaus

https://urlhaus.abuse.ch/url/2609736/

URLhaus

https://urlhaus.abuse.ch/url/2609977/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample