MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 405c9f6e9b379914b66eedba3ba0fca6437ebbd4874c066c5cf6b32ea10c079d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 405c9f6e9b379914b66eedba3ba0fca6437ebbd4874c066c5cf6b32ea10c079d
SHA3-384 hash: 6f5f17fec0362bc32c5cd3ef7b8ecec630ab798a341e630009e6e79fe0faa22aaeb7bea35522dc222b1c85462340a462
SHA1 hash: 1ad08c910990c8a3e4f69d8f310862d475f240e2
MD5 hash: 68f6a35eb1e746f262f22faf15242759
humanhash: social-foxtrot-whiskey-ack
File name:Sеtup_x64.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:1'455'104 bytes
First seen:2023-02-15 15:43:14 UTC
Last seen:2023-02-15 17:34:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ad00f804a87cc91a4d9f5cbecda94aa6 (2 x RedLineStealer, 1 x Vidar)
ssdeep 12288:eh2lsvvgo8Q4rEMabQvXLCdkGbIY0j2kGcTQrI:De3goB4rEMabWXGdkwu
Threatray 1'558 similar samples on MalwareBazaar
TLSH T1A765CF9676D5D035C0B6083102A8E7D549FEFF670E1202BF2BA54BF91E29610BDB4B6C
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe vidar

Intelligence

File Origin
# of uploads :
2
# of downloads :
226
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
Sеtup_x64.exe
Verdict:
Malicious activity
Analysis date:
2023-02-15 16:01:19 UTC
Tags:
trojan stealer vidar loader
Link:
https://app.any.run/tasks/ce8a8bb4-d6e0-4477-a73f-833747c1cf0d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/366756/
Detection(s):
SecuriteInfo.com.Variant.Lazy.296718.6213.8232.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/70450/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed redline
Link:
https://www.filescan.io/uploads/63ecfdc6e897c0c33ceb9d52/reports/b3c8da67-90f4-49bc-973b-87995bfa7525/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/405c9f6e9b379914b66eedba3ba0fca6437ebbd4874c066c5cf6b32ea10c079d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bdb5e967-ea98-44f1-b240-48c893af96b0
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1176040
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/405c9f6e9b379914b66eedba3ba0fca6437ebbd4874c066c5cf6b32ea10c079d/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-02-15 15:44:09 UTC
File Type:
PE (Exe)
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iboj63u3g6mrjnto5w5dxih4uzbx5o6uq5gam3c462zs5iima6oq._file
Verdict:
malicious
Similar samples:
0f99ffd1922111c7dfa9f59f23bbd8490894c6d5640fe901f3bca388b1e4881b
Vidar
12b053ff554ab6a4db909b0ee33f419b09f1f0f8a6612ae9773db3451e6d166a
Vidar
17b7efa461eeb91d0e83ae6f90bf00c27900f58f2d27da1cf25ea5d44345bdd3
Vidar
3a00b622128701df9801fb9fc2465bd33a0c3d7ff004333e9fff8f70997dcd83
Vidar
5fc60cbffc44d23cb91b9b61d121794949931d7ed56f0311d68f9176deb961ed
Vidar
cbafa6b5a5a5141801e04ad135271a9e0169e120582ed96c4136c0b2b2ae4d98
Vidar
d074db16525688d38bd4d33669e2406e7ab6cc6f5e2d039dafe019f419622416
Vidar
e0b5142a0af8f9cf06f8e7cb073828711c38a9c47a906d820300d79a7dbce186
Vidar
eb1bc9a5f5c530c8a4d271f626906fe986e5622fe4c635aceb77e95898978654
Vidar
+ 1'548 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:713 pyinstaller spyware stealer
Link:
https://tria.ge/reports/230215-s6g9wacc9y/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Blocklisted process makes network request
Downloads MZ/PE file
Vidar
Malware Config
Dropper Extraction:
https://panelco.su:60963/okesNntABMqQXGIS/GAHQKaIxBCmtXghr.html#VCqpPX3kg5KGYDRajlZtBAnWNQxIc2sLHUr769zSyhEfFbJTM1wm40u8eovidO+/=
Unpacked files
SH256 hash:
67967e5fd30d0eae4ea2a3ed65cb46adf93ebce1feb31cdb271901a578dcb645
MD5 hash:
e06bc27af2569c240ca1262b4cee146d
SHA1 hash:
d40a461c9bd05a03cb01ac17201520b39abf3a72
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/3e83c426-2d0e-46d0-9bdd-9eb7ecb3c629/
SH256 hash:
405c9f6e9b379914b66eedba3ba0fca6437ebbd4874c066c5cf6b32ea10c079d
MD5 hash:
68f6a35eb1e746f262f22faf15242759
SHA1 hash:
1ad08c910990c8a3e4f69d8f310862d475f240e2
Link:
https://www.unpac.me/results/3e83c426-2d0e-46d0-9bdd-9eb7ecb3c629/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/405c9f6e9b37/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/405c9f6e9b379914b66eedba3ba0fca6437ebbd4874c066c5cf6b32ea10c079d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/366756/

Comments