MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5636b99242d2f26e7ed420b54b0ed45da6cc6f360a531ef89b467c973347a2c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5636b99242d2f26e7ed420b54b0ed45da6cc6f360a531ef89b467c973347a2c5
SHA3-384 hash: fd928bd94c290a7591e57371a94272da7bc73c38651aed269c1cc7c0dfa3a94000c5e83ec1f903879b99a351c143da0b
SHA1 hash: 13b879d791cdac86e59c7150d15bfac9ae13d749
MD5 hash: 2b73910ec4bcce1fbfc1a81d3d29f2b5
humanhash: five-whiskey-mirror-charlie
File name:vida.exe.bin
Download: download sample
File size:1'816'472 bytes
First seen:2022-08-07 05:24:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 65d6a9688f009ae6cdbcf245e165220f (2 x RedLineStealer, 2 x RecordBreaker)
ssdeep 49152:voxjpz0Y3YbijUZhMUKLfVrb1wMiyFVhJ6rQcsP/LBY:wxjZIPCpj1b6/yn+r+P6
Threatray 328 similar samples on MalwareBazaar
TLSH T1B5852368EA80C027CCB72A313A54AB16C375BE23057592971B857F373E713EA5A7931C
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e8c4cac8ecb4cccc
Reporter srujankumar_k
Tags:exe signed

Code Signing Certificate

Organisation:*.sodi.com
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2022-06-07T11:00:10Z
Valid to:2022-09-05T11:00:09Z
Serial number: 0308a6a26993d37de43eb443c6926f4d639d
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: f46196802f8b0caa93c28dc4d3d765a030a53416cd5df85dd0d9689e5e06119d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
srujankumar_k
hxxps[://]sky-titans[.]net/files/vida[.]exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
415
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
vida.exe.bin
Verdict:
Malicious activity
Analysis date:
2022-08-07 05:27:15 UTC
Tags:
trojan stealer
Link:
https://app.any.run/tasks/1bd5a1b7-550c-4db5-87b4-602aba338677

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/296934/
Detection(s):
SecuriteInfo.com.Variant.Jaik.90396.18180.3847.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/28272/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/62ef4cf50db7e64635b548cd/reports/f16d2818-3e58-42bc-8715-6c346ddea5e5/overview
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1d0628c0-332e-4dd3-b268-5b4c3b97a6ac
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1047449
Signature
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Creates autostart registry keys with suspicious values (likely registry only malware)
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential evasive VBS script found (sleep loop)
PowerShell case anomaly found
Queries memory information (via WMI often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 679943 Sample: vida.exe.bin Startdate: 07/08/2022 Architecture: WINDOWS Score: 100 78 pastbin.net 2->78 80 googlehosted.l.googleusercontent.com 2->80 82 4 other IPs or domains 2->82 110 Malicious sample detected (through community Yara rule) 2->110 112 Multi AV Scanner detection for submitted file 2->112 114 Yara detected Powershell download and execute 2->114 116 4 other signatures 2->116 12 vida.exe.exe 2->12         started        signatures3 process4 signatures5 144 Writes to foreign memory regions 12->144 146 Allocates memory in foreign processes 12->146 148 Injects a PE file into a foreign processes 12->148 15 InstallUtil.exe 19 12->15         started        20 MpCmdRun.exe 12->20         started        process6 dnsIp7 96 t.me 149.154.167.99, 443, 49743 TELEGRAMRU United Kingdom 15->96 98 159.69.102.194, 1080, 49744 HETZNER-ASDE Germany 15->98 100 sky-titans.net 188.114.96.3, 443, 49745 CLOUDFLARENETUS European Union 15->100 70 C:\ProgramData\04942540424883219793.exe, PE32+ 15->70 dropped 72 C:\Users\user\AppData\Local\...\clip[1].exe, PE32+ 15->72 dropped 102 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->102 104 Very long command line found 15->104 106 Encrypted powershell cmdline option found 15->106 108 3 other signatures 15->108 22 04942540424883219793.exe 2 15->22         started        25 powershell.exe 15->25         started        29 cmd.exe 1 15->29         started        31 conhost.exe 15->31         started        33 conhost.exe 20->33         started        file8 signatures9 process10 dnsIp11 122 Bypasses PowerShell execution policy 22->122 124 Queries memory information (via WMI often done to detect virtual machines) 22->124 35 powershell.exe 17 22 22->35         started        40 powershell.exe 12 22->40         started        42 conhost.exe 22->42         started        90 pastbin.net 23.88.14.37 ENZUINC-US United States 25->90 92 192.168.2.1 unknown unknown 25->92 94 5 other IPs or domains 25->94 76 PowerShell_transcr....20220807072754.txt, UTF-8 25->76 dropped 126 Writes to foreign memory regions 25->126 128 Injects a PE file into a foreign processes 25->128 44 reg.exe 25->44         started        46 InstallUtil.exe 25->46         started        54 3 other processes 25->54 48 taskkill.exe 1 29->48         started        50 conhost.exe 29->50         started        52 timeout.exe 1 29->52         started        file12 signatures13 process14 dnsIp15 84 drive.google.com 142.250.203.110, 443, 49762, 49764 GOOGLEUS United States 35->84 86 googlehosted.l.googleusercontent.com 172.217.168.65, 443, 49763, 49765 GOOGLEUS United States 35->86 88 doc-0c-c8-docs.googleusercontent.com 35->88 74 MacOS_pegasus2jsuj...8ioidwa98u3roji.vbs, ASCII 35->74 dropped 118 Potential evasive VBS script found (sleep loop) 35->118 56 wscript.exe 1 35->56         started        120 Creates autostart registry keys with suspicious values (likely registry only malware) 44->120 file16 signatures17 process18 signatures19 130 Wscript starts Powershell (via cmd or directly) 56->130 132 Very long command line found 56->132 134 PowerShell case anomaly found 56->134 59 cmd.exe 56->59         started        62 cmd.exe 56->62         started        64 cmd.exe 56->64         started        process20 signatures21 136 Wscript starts Powershell (via cmd or directly) 59->136 138 Very long command line found 59->138 140 Encrypted powershell cmdline option found 59->140 142 PowerShell case anomaly found 59->142 66 conhost.exe 62->66         started        68 conhost.exe 64->68         started        process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5636b99242d2f26e7ed420b54b0ed45da6cc6f360a531ef89b467c973347a2c5/
Threat name:
Win32.Spyware.Vidar
Create hunting rule
Status:
Malicious
First seen:
2022-08-07 05:25:11 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
19 of 26 (73.08%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ky3ltesc2lzg47wuec2uwdwulwtmy3zwbjjr56e3iz6jom2hulcq._file
Verdict:
malicious
Similar samples:
01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4
22539844faca3d0029a5421ecc146979eb16ac4257fe8011a84f0686052f5b19
4ef70b979f1256128e03458bca91eb840c141ca488d40249a79a7f5b41bb9115
7fd0c18e417e77f1b4019024738211632265864ea3acf9f985eea6c0c75ba3ba
a880ebe9be4e9888ac2faa331c390b5d477fc828bf2e677e003d3adf74f4e9ec
b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110
ccc73011ac3e689d130f690c329d6d7338cbbacecf2537a59aa77a95596a1ff2
cd39c3247c322f1fe4972007f214413539b9f5f4454b87a79d1a099ef9fb962e
e733cbcaee33c4e99d99f2a3b82e2530e10dac7106edfaea681a98abb04f92b6
ef825a80323d1b7174699bbd9e53b72edf39991bd358b33ec774242e8c6b0f36
+ 318 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/220807-f3949shdc7/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
08bdc6703934b65c27ab3e8391d1ce8c36079ff86c90b6d783d80c67c0b2b908
MD5 hash:
88511b709274bff1eda05a01dfc2c7c0
SHA1 hash:
29874bece4e07ad49a9fb7dd64a554f129f3a06b
Link:
https://www.unpac.me/results/9aef23ac-ae93-49f9-8c29-0cf8f3573825/
SH256 hash:
850d6e10c8fc58ce453cdc9f0af194586025911a37022c4eee4fa06e69e3c73a
MD5 hash:
a8b53282b73d48fd9727c401204af625
SHA1 hash:
1cff27b58aef22ec3fb94b4ef90460e6530936d3
Link:
https://www.unpac.me/results/9aef23ac-ae93-49f9-8c29-0cf8f3573825/
SH256 hash:
5636b99242d2f26e7ed420b54b0ed45da6cc6f360a531ef89b467c973347a2c5
MD5 hash:
2b73910ec4bcce1fbfc1a81d3d29f2b5
SHA1 hash:
13b879d791cdac86e59c7150d15bfac9ae13d749
Link:
https://www.unpac.me/results/9aef23ac-ae93-49f9-8c29-0cf8f3573825/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5636b99242d2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5636b99242d2f26e7ed420b54b0ed45da6cc6f360a531ef89b467c973347a2c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 5636b99242d2f26e7ed420b54b0ed45da6cc6f360a531ef89b467c973347a2c5

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/296934/

Comments