MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f6f1b2e6fc03473bf5d66cca5013f5ed5a96df2ac46b38e525ee733d230cf88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 19


Intelligence 19 IOCs YARA 25 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f6f1b2e6fc03473bf5d66cca5013f5ed5a96df2ac46b38e525ee733d230cf88
SHA3-384 hash: 7c449a11d8dbb35b295ebd944bb84514461b99de2bbb763651ab0c534520d74e47295d13876d5adc9438b9007b9e3760
SHA1 hash: 7aaf10c720b8cfd1b9daa0174de934a9fa31f410
MD5 hash: b8930ce311970e82b7b52dbfa4d81187
humanhash: yellow-mississippi-don-louisiana
File name:SecuriteInfo.com.Win32.Malware-gen.26093.20806
Download: download sample
Signature Vidar
Create hunting rule
File size:6'504'448 bytes
First seen:2025-02-15 22:23:47 UTC
Last seen:2025-02-15 23:20:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9cbefe68f395e67356e2a5d8d1b285c0 (58 x LummaStealer, 49 x AuroraStealer, 35 x Vidar)
ssdeep 49152:+U4K1Qy8nPDdZiBSFfscuj9ADJZlShhV7+pXLRB5TYAUhJSh7DUtiGlMlHDNuc6P:+NbrnrShj9AVYhgB5IJsnUw918Svlj
TLSH T1E6663990FADB54B5EA03187044A7627F23346E098B26CFD7EA507F59EC376E10E32199
TrID 62.2% (.EXE) InstallShield setup (43053/19/16)
15.2% (.EXE) Win64 Executable (generic) (10522/11/4)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.9% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe vidar

Intelligence

File Origin
# of uploads :
2
# of downloads :
541
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
https://deepseekcaptcha.top/promo.html
Verdict:
Malicious activity
Analysis date:
2025-02-15 00:51:35 UTC
Tags:
loader opendir vidar stealer telegram golang
Link:
https://app.any.run/tasks/100b089d-3889-402d-9ac2-73be95ca3384

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.26093.20806.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67b114ea28ab76d43a5b1d8a
Tags:
dridex emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
Connection attempt
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypto golang obfuscated
Link:
https://www.filescan.io/uploads/67b1141a41f6d21e6a3ba283/reports/51e56d8a-b5e7-4a0d-9258-afa52ca39237/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/4f6f1b2e6fc03473bf5d66cca5013f5ed5a96df2ac46b38e525ee733d230cf88
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LummaC2
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/02dd6db1-7385-47cc-8ade-c34906764196
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1615993
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Searches for specific processes (likely to inject)
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1615993 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 15/02/2025 Architecture: WINDOWS Score: 100 29 xu3.201008281.xyz 2->29 31 t.me 2->31 45 Suricata IDS alerts for network traffic 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 53 5 other signatures 2->53 9 SecuriteInfo.com.Win32.Malware-gen.26093.20806.exe 2->9         started        signatures3 51 Performs DNS queries to domains with low reputation 29->51 process4 signatures5 55 Writes to foreign memory regions 9->55 57 Allocates memory in foreign processes 9->57 59 Injects a PE file into a foreign processes 9->59 12 BitLockerToGo.exe 32 9->12         started        process6 dnsIp7 39 xu3.201008281.xyz 88.99.124.230, 443, 49902, 49910 HETZNER-ASDE Germany 12->39 41 t.me 149.154.167.99, 443, 49893 TELEGRAMRU United Kingdom 12->41 43 2 other IPs or domains 12->43 23 C:\ProgramData\im7gd\ctr1d2, PE32+ 12->23 dropped 61 Attempt to bypass Chrome Application-Bound Encryption 12->61 63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->63 65 Found many strings related to Crypto-Wallets (likely being stolen) 12->65 67 5 other signatures 12->67 17 chrome.exe 12->17         started        file8 signatures9 process10 dnsIp11 25 192.168.2.4, 138, 443, 49737 unknown unknown 17->25 27 239.255.255.250 unknown Reserved 17->27 20 chrome.exe 17->20         started        process12 dnsIp13 33 play.google.com 142.250.185.110, 443, 50018 GOOGLEUS United States 20->33 35 plus.l.google.com 142.250.185.78, 443, 50007 GOOGLEUS United States 20->35 37 2 other IPs or domains 20->37
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4f6f1b2e6fc03473bf5d66cca5013f5ed5a96df2ac46b38e525ee733d230cf88
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4f6f1b2e6fc03473bf5d66cca5013f5ed5a96df2ac46b38e525ee733d230cf88/
Threat name:
Win32.Spyware.Vidar
Create hunting rule
Status:
Suspicious
First seen:
2025-02-15 22:24:37 UTC
File Type:
PE (Exe)
AV detection:
15 of 24 (62.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j5xrwltpya2hhp25m3gkkaj7l3k2s3psvrdlhdssl3tthurqz6ea._file
Verdict:
malicious
Label(s):
vidar
Create hunting rule
Similar samples:
error
Vidar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar credential_access discovery stealer
Link:
https://tria.ge/reports/250215-2bkk7axqet/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Downloads MZ/PE file
Uses browser remote debugging
Detect Vidar Stealer
Vidar
Vidar family
Malware Config
C2 Extraction:
https://t.me/b4cha00
https://steamcommunity.com/profiles/76561199825403037
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f36b423b-eb26-4d63-bb36-90df8e4807e3
Unpacked files
SH256 hash:
4f6f1b2e6fc03473bf5d66cca5013f5ed5a96df2ac46b38e525ee733d230cf88
MD5 hash:
b8930ce311970e82b7b52dbfa4d81187
SHA1 hash:
7aaf10c720b8cfd1b9daa0174de934a9fa31f410
Link:
https://www.unpac.me/results/2c5f56b1-5e5d-4f71-949a-37bc0ca5afc4/
SH256 hash:
e0daa1c48ad24b65a938d403e2ae69478ee0cd730c3d021afa9dbd4378cf7d7d
MD5 hash:
46a82d29613e8ba51f4429cf293bcda9
SHA1 hash:
fd3bd64c989288fee7ba3abe0e8185c3af0596e9
Detections:
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Link:
https://www.unpac.me/results/2c5f56b1-5e5d-4f71-949a-37bc0ca5afc4/
Parent samples :
19198e75f7c830441360a42b06e10415f4368300a7590c119c237ea8c67bf23e
4f6f1b2e6fc03473bf5d66cca5013f5ed5a96df2ac46b38e525ee733d230cf88
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4f6f1b2e6fc0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4f6f1b2e6fc03473bf5d66cca5013f5ed5a96df2ac46b38e525ee733d230cf88

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Stealc_unpacked_PulseIntel
Create hunting rule
Author:PulseIntel
Description:Stealc Payload
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Vidar_unpacked_PulseIntel
Create hunting rule
Author:PulseIntel
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 4f6f1b2e6fc03473bf5d66cca5013f5ed5a96df2ac46b38e525ee733d230cf88

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3441047/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryW
kernel32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programskernel32.dll::WriteConsoleW
kernel32.dll::SetConsoleCtrlHandler
kernel32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::GetSystemDirectoryA

Comments