MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5719504e2f4e976c8ce6fbfda399b80273e783ff05f61dfd1f1bd4737f0bde8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 15

Intelligence 15 IOCs YARA 11 File information Comments

SHA256 hash:	5719504e2f4e976c8ce6fbfda399b80273e783ff05f61dfd1f1bd4737f0bde8a
SHA3-384 hash:	5e346bbb8d6f5a2a98d25018aaeb6ecd5d6ca7098f7aaeb9c374e92bf4c77ab75457a4d43cfb774e40b8a0104a989d8c
SHA1 hash:	a1bb90007d2e00025953c13ca742d767ebcce27e
MD5 hash:	1f7efac73d987dae200e36922267d8c6
humanhash:	skylark-vermont-xray-march
File name:	1f7efac73d987dae200e36922267d8c6.exe
Download:	download sample
Signature	Vidar Create hunting rule
File size:	252'928 bytes
First seen:	2024-01-05 16:29:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d06982428050f7f06adfc753e0db3b8f (1 x Vidar, 1 x Stealc, 1 x Tofsee)
ssdeep	3072:2/yLKcpYkvNJciKze+IdZoPoj1y9c5zQf35N1/T9p9/e7VP:2/yLKcpdvNDH+W5y+QTDp9/I
TLSH	T1FF34F94392E33D44F9A68B729F2EC6E8760FF3504F4A77AA6118DA1F14B11B2C167712
TrID	46.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 25.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 8.5% (.EXE) Win64 Executable (generic) (10523/12/4) 5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	1434284424a0c800 (1 x Vidar)
Reporter	abuse_ch
Tags:	exe vidar

Intelligence

File Origin

# of uploads :

# of downloads :

303

Origin country :

Vendor Threat Intelligence

Malware family:

stop

ID:

File name:

buildz.bin

Verdict:

Malicious activity

Analysis date:

2024-01-05 13:15:46 UTC

Tags:

ransomware stop loader vodkagats stealer vidar

Link:

https://app.any.run/tasks/43a64afe-61bb-4303-8169-f533fea3dd5a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/469645/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed redcap

Link:

https://www.filescan.io/uploads/65982e8fb2e45ed099c8b499/reports/5588bf0b-0335-47b0-983e-5ad08fac9411/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/5719504e2f4e976c8ce6fbfda399b80273e783ff05f61dfd1f1bd4737f0bde8a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b9833032-ae25-4a72-ba71-6bd946b017c5

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1370490

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Searches for specific processes (likely to inject)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5719504e2f4e976c8ce6fbfda399b80273e783ff05f61dfd1f1bd4737f0bde8a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5719504e2f4e976c8ce6fbfda399b80273e783ff05f61dfd1f1bd4737f0bde8a/

Threat name:

Win32.Trojan.Smokeloader

Status:

Malicious

First seen:

2024-01-04 14:56:22 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 37 (70.27%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=k4mvatrpj2lwzdhg7p62hgnyajz6pa77ax3b37i7dpkhg7yl32fa._file

Verdict:

malicious

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar stealer

Link:

https://tria.ge/reports/240105-tztj1agdb6/

Behaviour

Modifies system certificate store

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Detect Vidar Stealer

Vidar

Unpacked files

SH256 hash:

c0c92a4757b2b4a34b73575085d2b3036f5037f9a3b851db8c8e9e4f4e2f20d0

MD5 hash:

cbb0d9ba6dcc0af5218e7a290fc3ecd8

SHA1 hash:

f0dfba16ff4cffaaf120e66b6220a5a5219c03b1

Link:

https://www.unpac.me/results/8937e929-9893-4990-aaa7-c3c1a3981199/

SH256 hash:

5719504e2f4e976c8ce6fbfda399b80273e783ff05f61dfd1f1bd4737f0bde8a

MD5 hash:

1f7efac73d987dae200e36922267d8c6

SHA1 hash:

a1bb90007d2e00025953c13ca742d767ebcce27e

Link:

https://www.unpac.me/results/8937e929-9893-4990-aaa7-c3c1a3981199/

Malware family:

Vidar.A

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5719504e2f4e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5719504e2f4e976c8ce6fbfda399b80273e783ff05f61dfd1f1bd4737f0bde8a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	has_telegram_urls Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of MFA browser extension IDs.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	QbotStuff Create hunting rule
Author:	anonymous

Rule name:	win_vidar Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detection of Vidar Stealer and Variants via strings present in final unpacked payloads

Rule name:	win_vidar_strings_jun_2023 Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detection of Vidar Stealer and Variants via strings present in final unpacked payloads