MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41ee1357282ed8722ff127ac17ff0831a92a54e72c32a560abeae0d27f5c090e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41ee1357282ed8722ff127ac17ff0831a92a54e72c32a560abeae0d27f5c090e
SHA3-384 hash: 631b674e97869d3ca3aede382fb70ae7a9b24f28d6e71cb7ec3b2c6440bd02779bfef365bef14a29ccba3dd52f8d656b
SHA1 hash: 73ed54a021153213ee4823683e4a9376b479d939
MD5 hash: cc94be13bc24599e326d03ca246a61fa
humanhash: five-mars-venus-grey
File name:file
Download: download sample
Signature Vidar
Create hunting rule
File size:405'544 bytes
First seen:2024-10-03 01:24:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:bXqwxGuBem9P3ofEPGc8V8vkl4vn6QdG9eB4RyWTkui4ZR6d0psZ8EZ:bXqGGTvNUw435B4pZR6d0psaEZ
Threatray 336 similar samples on MalwareBazaar
TLSH T17884CF9C766072DFC857C472DEA86C68EA6078BA530F4607A06752EDDE4D897CF180F2
TrID 28.5% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.2% (.EXE) Win32 Executable (generic) (4504/4/1)
5.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter Bitsight
Tags:exe vidar


Avatar
Bitsight
url: http://147.45.44.104/ldms/c6102b3727b2.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
361
Origin country :
US US
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-10-03 01:30:00 UTC
Tags:
vidar stealer
Link:
https://app.any.run/tasks/955f96d5-275f-413e-9f3f-ee2efe889c1e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66fe9278780a9b632d229b69
Tags:
Injection Exploit Dridex Msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Launching a process
Creating a file
Creating a file in the %temp% directory
Сreating synchronization primitives
Behavior that indicates a threat
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Connection attempt to an infection source
Sending a TCP request to an infection source
Query of malicious DNS domain
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/66fdf273168559661d51e727/reports/fab96dd2-489c-434e-9d90-04a333e67a7b/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/41ee1357282ed8722ff127ac17ff0831a92a54e72c32a560abeae0d27f5c090e
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d64ae833-a46d-49b5-8f4e-53e26de00dd8
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1524652
Signature
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Searches for specific processes (likely to inject)
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524652 Sample: file.exe Startdate: 03/10/2024 Architecture: WINDOWS Score: 100 30 steamcommunity.com 2->30 38 Multi AV Scanner detection for domain / URL 2->38 40 Suricata IDS alerts for network traffic 2->40 42 Found malware configuration 2->42 44 12 other signatures 2->44 7 file.exe 3 2->7         started        signatures3 process4 file5 18 C:\Users\user\AppData\Roaming\msvcp110.dll, PE32 7->18 dropped 20 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 7->20 dropped 46 Detected unpacking (changes PE section rights) 7->46 48 Contains functionality to inject code into remote processes 7->48 50 Writes to foreign memory regions 7->50 52 2 other signatures 7->52 11 aspnet_regiis.exe 196 7->11         started        16 conhost.exe 7->16         started        signatures6 process7 dnsIp8 32 49.12.197.9, 443, 57947, 57948 HETZNER-ASDE Germany 11->32 34 steamcommunity.com 104.102.49.254, 443, 57946 AKAMAI-ASUS United States 11->34 36 147.45.44.104, 57970, 80 FREE-NET-ASFREEnetEU Russian Federation 11->36 22 C:\ProgramData\softokn3.dll, PE32 11->22 dropped 24 C:\ProgramData\nss3.dll, PE32 11->24 dropped 26 C:\ProgramData\mozglue.dll, PE32 11->26 dropped 28 3 other files (1 malicious) 11->28 dropped 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->54 56 Found many strings related to Crypto-Wallets (likely being stolen) 11->56 58 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->58 60 5 other signatures 11->60 file9 signatures10
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/41ee1357282ed8722ff127ac17ff0831a92a54e72c32a560abeae0d27f5c090e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/41ee1357282ed8722ff127ac17ff0831a92a54e72c32a560abeae0d27f5c090e/
Threat name:
Win32.Spyware.Vidar
Create hunting rule
Status:
Suspicious
First seen:
2024-10-03 01:25:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
15 of 24 (62.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ihxbgvzif3mhel7re6wbp7yiggusuvhhfqzkkyfl5lqne724beha._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
Similar samples:
16358e5cb11b110f739d10d61f23ae9107f01e3757f1c1bbc3f0e71b7404e579
Vidar
44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147
Vidar
6c6ec35999113818b53305fdfd10b9afb24129d3299a06e2f8b4204f327ab98d
Vidar
7fc6bc7f2cb710cf14da22c9e40b8407dbbe523ba7f8a91f8d67f5bce413d5c5
Vidar
86d1e9372127505a6200e134641390297bd255de3b742d874108cbf5670d3d9c
Vidar
90c0395f668f198d1aed010aaabbdab7c7f78b5a8c90072f4a2225683ebaac36
Vidar
9ca478d53da793e89bf97d72d84ea97dcad229ecc0f776f91d10368ac7fa53ff
Vidar
ac3999e4290648c6f63aee0e20e04be509b7c0aa74fb60f5e6dbcd083e3b7e4c
Vidar
bc3a6941205c1bb9be465e5cb20842bc6ae2e7aaea8f374e1c411bd02b89b697
Vidar
error
Vidar
+ 326 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:433cd71b7a2bdd3668a493b00ee95630 credential_access discovery spyware stealer
Link:
https://tria.ge/reports/241003-bsyk9s1djc/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Detect Vidar Stealer
Vidar
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
Verdict:
Malicious
Tags:
stealc vidar stealc
YARA:
n/a
Link:
https://app.threat.zone/submission/5d04a115-3129-4f11-aa61-dbe383c3d5ef
Unpacked files
SH256 hash:
41ee1357282ed8722ff127ac17ff0831a92a54e72c32a560abeae0d27f5c090e
MD5 hash:
cc94be13bc24599e326d03ca246a61fa
SHA1 hash:
73ed54a021153213ee4823683e4a9376b479d939
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/d33297dc-d845-418a-bbf5-7cc37ec8f259/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/41ee1357282e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/41ee1357282ed8722ff127ac17ff0831a92a54e72c32a560abeae0d27f5c090e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 41ee1357282ed8722ff127ac17ff0831a92a54e72c32a560abeae0d27f5c090e

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3205946/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments