MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45ac86c9c4501113f3912d513270d66a5c7bf5a6edb0a89fbb23965271b1049f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45ac86c9c4501113f3912d513270d66a5c7bf5a6edb0a89fbb23965271b1049f
SHA3-384 hash: e3ef7dcf5c3e04bc5cafdafcd951d7db102c7e00dc7ed118aa181f8fffbd3fcec825a6cbf695c9fc00902a314d06b171
SHA1 hash: 7514b009e40d87f4b16d87c9f7dc35dcfe3239c4
MD5 hash: 2d1952dc0776774b3d9366412a44de4d
humanhash: december-timing-california-april
File name:2d1952dc0776774b3d9366412a44de4d
Download: download sample
Signature Vidar
Create hunting rule
File size:1'629'088 bytes
First seen:2023-05-02 13:02:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5dbd4b53304dc2aae0c97e1295bb4e1e (1 x RedLineStealer, 1 x Vidar)
ssdeep 49152:FNwP4UmS2Wa0NwUKx6Zke9JlFRVtrq5cj0d:3wQrS2WQUKx6Zk0p2X
Threatray 1'352 similar samples on MalwareBazaar
TLSH T1D475E117E284D022E5B222FA4AB9516879296D60171981CB71C47FFDBF765FEAC30323
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon cdc9096bc9c9f8cc (1 x Vidar)
Reporter zbetcheckin
Tags:32 exe signed vidar

Code Signing Certificate

Organisation:lisablas.com
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2023-04-18T09:04:56Z
Valid to:2023-07-17T09:04:55Z
Serial number: 030695bf9d4ffbc347ee3385eb99d300ae33
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 6876e0c11b3cbc7aeba2b51e681c82bab80fd9fc75f8a35616b5a387356b77d3
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
315
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2d1952dc0776774b3d9366412a44de4d
Verdict:
Suspicious activity
Analysis date:
2023-05-02 13:04:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/460234bd-19ec-4308-9c6a-eb13782eed98

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/386131/
Detection(s):
SecuriteInfo.com.Variant.Ser.Jaik.3792.14161.21059.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Launching a process
Сreating synchronization primitives
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/82241/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/64510a06961a21dc785c67a0/reports/6dc60cc2-a71c-4cf9-ab63-c1833461fe24/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/45ac86c9c4501113f3912d513270d66a5c7bf5a6edb0a89fbb23965271b1049f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ef043efa-57a5-44d1-8ec1-56a1340297c6
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1224690
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/45ac86c9c4501113f3912d513270d66a5c7bf5a6edb0a89fbb23965271b1049f/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-04-30 23:39:08 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
26 of 37 (70.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iwwinsoekairh44rfvite4gwnjohx5ng5wykrh53eolfe4nraspq._file
Verdict:
malicious
Similar samples:
3938e9e23562cf722e3bb98f6289351ff1ce0938f65177d3b581de5c763e90c4
Vidar
40f62ade4e0084539def408e1f01e302a94a0be47578aad2f603eeb0894f38f9
Vidar
784bb9d5ac9ba16cbfb56d482be25437effc2cca13120d5947782d7f1974ae46
Vidar
babe6467feb2750f32a113b970674022ff1cf3248b724f69c837df0b55a2337d
Vidar
bccd81dfc84e37c77d12fc1a145b6854962eee72ac1b73013473022562c04d27
Vidar
bf129cec049c6d60b5a2ee6d2b99786e537f13d37a5a8464f0c6c6ef3df64cc3
Vidar
d86b56fbb2ae739877ad2143f719b0c60df88b6d773c9f837f8490fb157ec165
Vidar
eae4b77ea1c206dc0a5fd6c0f34d2eae940b8fd20558aadf67ae4481099db184
Vidar
+ 1'342 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:495ab205af103eb0f20c7a90577f42e5 spyware stealer
Link:
https://tria.ge/reports/230502-qab2wabb53/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Vidar
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199499188534
https://t.me/nutalse
Unpacked files
SH256 hash:
caf2c81a260df7a4f19abaac8bc7a804c0c1a9286de735399f69d5593b82670e
MD5 hash:
96a8f0fa4c8b8addad48df57649d3189
SHA1 hash:
cae32e49b0f1db35ea663e31211a541ea5ca6216
Link:
https://www.unpac.me/results/905c1f19-4f08-4f33-b296-140946585ba9/
SH256 hash:
45ac86c9c4501113f3912d513270d66a5c7bf5a6edb0a89fbb23965271b1049f
MD5 hash:
2d1952dc0776774b3d9366412a44de4d
SHA1 hash:
7514b009e40d87f4b16d87c9f7dc35dcfe3239c4
Link:
https://www.unpac.me/results/905c1f19-4f08-4f33-b296-140946585ba9/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/45ac86c9c450/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Telegram_Links
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 45ac86c9c4501113f3912d513270d66a5c7bf5a6edb0a89fbb23965271b1049f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2622147/
Cape
Cape
https://www.capesandbox.com/analysis/386131/

Comments


Avatar
zbet commented on 2023-05-02 13:02:44 UTC

url : hxxp://zenithgurukul.in/v1.exe