MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3df572ecd8ad88b1b744adc3323998b64d8303ef1a19eba3d7fd6e76aeb67532. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 13

Intelligence 13 IOCs YARA 5 File information Comments

SHA256 hash:	3df572ecd8ad88b1b744adc3323998b64d8303ef1a19eba3d7fd6e76aeb67532
SHA3-384 hash:	8f6586675cdcf7c5da32f7a07f4b11afed71b3e450630f6ae6e6d4244ded06b88d03ec67a524a5bf2aa31dc7075e5219
SHA1 hash:	9f98c4c403b98aea3624d905b2e1ccbe5939c908
MD5 hash:	c56b758f00562948de9cac375422074c
humanhash:	bravo-red-jersey-july
File name:	c56b758f00562948de9cac375422074c.exe
Download:	download sample
Signature	Vidar Create hunting rule
File size:	391'680 bytes
First seen:	2023-03-07 14:17:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7ce8be817094ce334ca321b79c30ac3e (1 x Gozi, 1 x Vidar)
ssdeep	6144:qdIjLWKjRaNPXd5G3KpR0JjKXV+3rQqkuWZgdVlVZ/X36qfAk:gQ6KjRYPX/G3KoJCMZFpa
Threatray	1'161 similar samples on MalwareBazaar
TLSH	T19884F22536A1D036E2DB64705078EBA52EBFF8F22261C98F7754139E0E706C19A7731B
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	001ad2c29c88b8b4 (1 x Vidar)
Reporter	abuse_ch
Tags:	exe vidar

Intelligence

File Origin

# of uploads :

# of downloads :

214

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

c56b758f00562948de9cac375422074c.exe

Verdict:

Malicious activity

Analysis date:

2023-03-07 14:30:12 UTC

Tags:

stealer

Link:

https://app.any.run/tasks/5d252508-35d6-4747-a24f-7b2e0d00a5a2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/372318/

Detection(s):

Sanesecurity.Malware.28986.BadIN.UNOFFICIAL

Sanesecurity.Malware.28988.BadIN.UNOFFICIAL

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Using the Windows Management Instrumentation requests

Running batch commands

Creating a process with a hidden window

Launching a process

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/6407479d7f18ce9b01806493/reports/54305ce1-7c9f-4b84-beb9-373eda490952/overview

Verdict:

Malicious

Labled as:

Ransom.84989A88

Link:

https://www.hybrid-analysis.com/sample/3df572ecd8ad88b1b744adc3323998b64d8303ef1a19eba3d7fd6e76aeb67532

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/58f0b210-5835-4aa3-94ea-117ce74a11d1

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1188995

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to compare user and computer (likely to detect sandboxes)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Self deletion via cmd or bat file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3df572ecd8ad88b1b744adc3323998b64d8303ef1a19eba3d7fd6e76aeb67532/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-03-07 12:57:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 25 (84.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hx2xf3gyvweldn2evxbteomywzgyga7pdim6xi6x7vxhnlvwouza._file

Verdict:

malicious

Vidar

0b98114cfbe3e32c681ebb5a4a867391da2d235b771227af97f46825b95de3f2

Vidar

2631ab16a328fb1e677dfffbebe122cf9b96540df841edcac6a5a20bd54d6214

Vidar

9cba9215115c4f6f7920c41ea846f4ce11e2399de45457a25b4d30ddcbe6879b

Vidar

dfe6df52d058c1a19169d2de00c781dc19cb829a95f0c0d533702063c2d002c6

Vidar

e58392645053aec0b085aef877aa4692d5253f51535798ba18d7b7165d73390f

Vidar

+ 1'151 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar discovery spyware stealer

Link:

https://tria.ge/reports/230307-rmaj9ahg5s/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Vidar

Unpacked files

SH256 hash:

9040a7714b2f2c631972fdc88020e308710f13b4cfbb98ecfab361a43a65b953

MD5 hash:

23720bdfeb632a4040936f9f880bafab

SHA1 hash:

e0f4a3b92bcd2910158e218b66804cdb77640839

Link:

https://www.unpac.me/results/bb79438b-6853-4147-8999-1889c7c05ad0/

SH256 hash:

3df572ecd8ad88b1b744adc3323998b64d8303ef1a19eba3d7fd6e76aeb67532

MD5 hash:

c56b758f00562948de9cac375422074c

SHA1 hash:

9f98c4c403b98aea3624d905b2e1ccbe5939c908

Link:

https://www.unpac.me/results/bb79438b-6853-4147-8999-1889c7c05ad0/

Malware family:

Vidar.A

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3df572ecd8ad/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3df572ecd8ad88b1b744adc3323998b64d8303ef1a19eba3d7fd6e76aeb67532

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	has_telegram_urls Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents