MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ac8bd1c622637a972de501a4737ee63968ee25b3211ed8ec512775e416518e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ac8bd1c622637a972de501a4737ee63968ee25b3211ed8ec512775e416518e5
SHA3-384 hash: 6784de9890d02455de2ba9b9ef1729410c3c87eb0ed2c8d92f2f480af7395fc84fb8ea005a16d3b947359621e77a0f9d
SHA1 hash: cd3276b5bd971a27172c9af343a69fbd06473ca0
MD5 hash: c5806b500203afa73d3c09285be59a30
humanhash: utah-bulldog-triple-coffee
File name:c5806b500203afa73d3c09285be59a30.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:484'864 bytes
First seen:2023-04-14 06:58:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4346286ab6c11bc5538ee570db981e45 (2 x GCleaner, 2 x Vidar, 1 x CoinMiner)
ssdeep 12288:hT29jRWL136ZGFWxMozSJzlDS8uxd7eL09owJ1b:hS9QsZGQiob8y1owJ
Threatray 623 similar samples on MalwareBazaar
TLSH T181A4AE32729C9871E5235A714E2AC6F92E6EF4639F557BDB1344BA3F0A701E2D232305
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 02451504110a0208 (1 x Vidar)
Reporter abuse_ch
Tags:exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
256
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c5806b500203afa73d3c09285be59a30.exe
Verdict:
Malicious activity
Analysis date:
2023-04-14 07:01:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8beac247-b4b7-4abd-87fe-ef2a542e7d12

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382206/
Detection(s):
Sanesecurity.Malware.29209.BadIN.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/79586/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
exploit greyware khalesi lockbit packed unsafe zusy
Link:
https://www.filescan.io/uploads/6438f983b4ec50bace60241c/reports/a5eeb41a-e265-4f53-9ae5-c80689028e4d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/5ac8bd1c622637a972de501a4737ee63968ee25b3211ed8ec512775e416518e5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/08f1a4be-1dbf-4572-88c8-76608022b57a
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1213718
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ac8bd1c622637a972de501a4737ee63968ee25b3211ed8ec512775e416518e5/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-04-14 06:58:11 UTC
File Type:
PE (Exe)
Extracted files:
57
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=llel2hdcey32s4w6kaneon7omoli5ys3gii63dwfcj3v4qlfddsq._file
Verdict:
malicious
Similar samples:
0737c068f2012af8cdb27ec08664ba0aca11c0dced3702efb7359d59e2186338
Vidar
10693518407261cb6d1cae5bd3ad6aa3309e0a6ac1170cc9592a3ed29e3303b3
Vidar
1aabaf257833b939257609dea10af40fb814682dd8de52918145f3bc40441625
Vidar
271b5a55ffe8fa4b7886abbd3c5cf68614267f8bdc2f6f78fac2f5400e95aa35
Vidar
6c26e5a25958830af43246a52754d4f6686b44cf7c96facce8be29c496561c29
Vidar
b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0
Vidar
bd92cab108fe5e7fb8da4749f18a1ba88153755e72b9d3b15854295a7394877c
Vidar
c73c5027ec11576250105ea0664c33a51f3a19901c6bcbfd84d88c94f3482435
Vidar
cc497e1245062037cfa1a5ab3d11ae10e04a7cc4fdb12fa13a7a4073ca81a444
Vidar
e814d34a0eb17347413d34653b7fca514c931eb1a5317012fe44d54c09617fd4
Vidar
+ 613 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:laplas family:vidar botnet:e749025c61b2caca10aa829a9e1a65a1 clipper discovery persistence spyware stealer upx
Link:
https://tria.ge/reports/230414-hrha8agg66/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Downloads MZ/PE file
Laplas Clipper
Vidar
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199494593681
https://t.me/auftriebs
http://185.106.92.74
Unpacked files
SH256 hash:
17466c56f4272bbd5c90415568b1e0adce18151792bbd7de8ccb075c3fb536e6
MD5 hash:
fb5511afb0219a90b77517ed1511fb60
SHA1 hash:
7790a2144a000e876c7cff37639a09547e46ac74
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/f86c4cbd-811f-4e7b-b767-34696cccdcee/
Parent samples :
05bf271392855e4962f4d736eb701e764ad972451205c8be5364f1bd9f824197
1c4fff759380974bfefb163c13bd2c7c68e96076fe1e703c9e6ee167ea74297b
271b5a55ffe8fa4b7886abbd3c5cf68614267f8bdc2f6f78fac2f5400e95aa35
e814d34a0eb17347413d34653b7fca514c931eb1a5317012fe44d54c09617fd4
214e9703ba46ea2ec8a747913145d48a8be812ab4beaf8f055e889c204955174
5ac8bd1c622637a972de501a4737ee63968ee25b3211ed8ec512775e416518e5
4598f17c42e3fa2259e57d1e4732ad6847a6b3469114a1d37112a8fca6ba748b
d22d3e19a68d8c6efe71df22e21bb6be33925cdc30213f7b82bb38d7ccb65096
9996cf595b1514e53b21ac212c2af6f1ded7488a5b99639711ba4058b1f5e6e3
f9803322b5a1423f9d3ec2381ceccd1911ff49dba85c0cb25437d653c5658d44
9d32dcd66ddeff3c376b08f6c76d28a3b577eebc2f0d8b9ba1781109ec3d6c62
fc258ff7ef8632a4cc29132b406ea66c43c0dc7fbf9f7ce9b0ab016b8fd0da3a
2050a2f16f735a22589fa28453489733dfa907f5f9b05ce0510b89bcafae0ba4
076765520388312f563d23a0bf30f6069b6d6745faf1d1cf2bf1be5e45866c7e
ffcd81554dfa79fc164a1442d47b404c44e9221376c1632b5ffc6a9b2efeff72
3235d6bdcf964ed58a67049341a5aefda696011a8bc8f29304c8592f68678191
585ecea5cbd604932ea18eb6e089c11bf542b6bdcbc1183d134b7937c3908063
17c93fb176f59f4887e4a957b6af15270964abf3651540bdca34b0cf91c47428
76a4ed024ae4064f850fb46eee2f83e8edd8da2dc0aa45ee023b13e43d12d5be
2f14512e1f5a853252238c152e22e33bc1e14a37e27f015813d3661175294b32
0d4ca324e676d8cd384902068b4caf199e1803fc82fdf3d7ee0fa7a902dcf4f1
8e2c24992e272ae9bd921ce4a96c3c42c8c80b69c615a4570efc06f52f151855
SH256 hash:
5ac8bd1c622637a972de501a4737ee63968ee25b3211ed8ec512775e416518e5
MD5 hash:
c5806b500203afa73d3c09285be59a30
SHA1 hash:
cd3276b5bd971a27172c9af343a69fbd06473ca0
Link:
https://www.unpac.me/results/f86c4cbd-811f-4e7b-b767-34696cccdcee/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5ac8bd1c6226/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 5ac8bd1c622637a972de501a4737ee63968ee25b3211ed8ec512775e416518e5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2605501/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/382206/

Comments