MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ad0e5d670206288abccd95bb0e3ff1ee9a889b49423cb5160c7c59912991a0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 17


Intelligence 17 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ad0e5d670206288abccd95bb0e3ff1ee9a889b49423cb5160c7c59912991a0d
SHA3-384 hash: d60cb729a1b3fc6e7142f7d82ece492c8b01a562b0c00fe2fea09182747a82c3e61bcbff7121b183f4f4caf6ef05d6d7
SHA1 hash: 01ceb31bfcb1f5d6eefffa5bf1c6cb891ca6dd75
MD5 hash: 3cd180f72198597215cab492c109f5a0
humanhash: alaska-grey-fruit-island
File name:a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:186'368 bytes
First seen:2024-08-04 00:19:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf0457e30f7172540414ef6152db6209 (2 x Vidar)
ssdeep 3072:Qiyi/SfJhUwLibCxNKBC6y8WyQQF1h7NOwUPfbldFw0t+Z0vhAVfEgr2Csy5rilr:ZbShBLWANKrBWyt3ZOwUPfbldFw0t+ZA
Threatray 38 similar samples on MalwareBazaar
TLSH T1DC046A72B612883DF8620570DAED37DD847C6D66233C21EBBBE1558834B24E6953933B
TrID 56.3% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
16.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
4.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.4% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter ukycircle
Tags:exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
372
Origin country :
JP JP
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
Verdict:
Malicious activity
Analysis date:
2024-08-04 00:21:20 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/f57bfea0-5f21-40f3-bed2-0082978f1eed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66aec936b7a04efc7439c89a
Tags:
Execution Generic Infostealer Network Other Stealth Trojan
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Behavior that indicates a threat
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Connection attempt to an infection source
Running batch commands
Creating a process with a hidden window
Launching a process
Query of malicious DNS domain
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm lolbin microsoft_visual_cc packed shell32 stealer
Link:
https://www.filescan.io/uploads/66aec93478d5c73fb1cbfbd9/reports/ee558c97-e080-48ac-bda2-aee9a832e97b/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/5ad0e5d670206288abccd95bb0e3ff1ee9a889b49423cb5160c7c59912991a0d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8855a452-21b1-435e-b2d1-c70a3826f109
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1487424
Signature
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Searches for specific processes (likely to inject)
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1487424 Sample: a8fb80b6e9d920c26922b29171e... Startdate: 04/08/2024 Architecture: WINDOWS Score: 100 35 steamcommunity.com 2->35 37 fp2e7a.wpc.phicdn.net 2->37 39 2 other IPs or domains 2->39 51 Multi AV Scanner detection for domain / URL 2->51 53 Found malware configuration 2->53 55 Antivirus detection for URL or domain 2->55 57 11 other signatures 2->57 8 a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe 1 40 2->8         started        signatures3 process4 dnsIp5 41 steamcommunity.com 104.102.49.249, 443, 49730, 49764 AKAMAI-ASUS United States 8->41 43 168.119.176.241, 443, 49731, 49732 HETZNER-ASDE Germany 8->43 45 2 other IPs or domains 8->45 27 C:\Users\user\AppData\Local\...\mine[1].exe, PE32 8->27 dropped 29 C:\ProgramData\softokn3.dll, PE32 8->29 dropped 31 C:\ProgramData\nss3.dll, PE32 8->31 dropped 33 5 other files (3 malicious) 8->33 dropped 59 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 8->59 61 Found many strings related to Crypto-Wallets (likely being stolen) 8->61 63 Contains functionality to inject code into remote processes 8->63 65 5 other signatures 8->65 13 EHDHIDAEHC.exe 3 8->13         started        16 cmd.exe 1 8->16         started        file6 signatures7 process8 signatures9 67 Multi AV Scanner detection for dropped file 13->67 69 Machine Learning detection for dropped file 13->69 71 Writes to foreign memory regions 13->71 73 2 other signatures 13->73 18 MSBuild.exe 17 13->18         started        21 MSBuild.exe 13->21         started        23 conhost.exe 16->23         started        25 timeout.exe 1 16->25         started        process10 signatures11 47 Tries to harvest and steal browser information (history, passwords, etc) 18->47 49 Searches for specific processes (likely to inject) 21->49
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5ad0e5d670206288abccd95bb0e3ff1ee9a889b49423cb5160c7c59912991a0d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ad0e5d670206288abccd95bb0e3ff1ee9a889b49423cb5160c7c59912991a0d/
Threat name:
Win32.Spyware.Vidar
Create hunting rule
Status:
Malicious
First seen:
2024-08-04 00:20:06 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lliolvtqebrirk6m3fn3by77d3u2rcnusqr4wulay7czseuzdigq._file
Verdict:
malicious
Similar samples:
0db8af903779fe3050ab2efc976a7b5a35e1bfeafd201e87a36ea1d589cbfef1
Vidar
0df79273aea792b72c2218a616b36324e31aaf7da59271969a23a0c392f58451
Vidar
1ebdbd7b94a764479be0363d620c6c6b2b41b5b55888c9546b22d050835b22ea
Vidar
217900ee9e96bcb152005818da2e5382cac579ab6edd540d05f2cdb8c8f4ce8b
Vidar
9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707
Vidar
a35e785bcf822d20a6bfb76d4dd3f78ecebaf8147f03ee2ffd8d492ac8cc657f
Vidar
c6c2bcb1f03e9af5e03fc2152420f451c28afcc1ba505c4f7c941360449c003d
Vidar
+ 28 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar credential_access discovery spyware stealer
Link:
https://tria.ge/reports/240804-amrebsvdpd/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Credentials from Password Stores: Credentials from Web Browsers
Detect Vidar Stealer
Vidar
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199747278259
https://t.me/armad2a
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3c12363a-24cf-4de8-b1aa-b6bbfc0dec1d
Unpacked files
SH256 hash:
0ab41930f0a18d7629031bf5cd9a8c7090c13983c1d7567b9018185f0fa18f0d
MD5 hash:
2890a00ef6943ed98e2b7c6e3e49ae1c
SHA1 hash:
9072a751e68fe39222aebc87ffb898a423310ce9
Link:
https://www.unpac.me/results/829999e6-94e0-402e-91ea-04a4ceb8b59f/
SH256 hash:
5ad0e5d670206288abccd95bb0e3ff1ee9a889b49423cb5160c7c59912991a0d
MD5 hash:
3cd180f72198597215cab492c109f5a0
SHA1 hash:
01ceb31bfcb1f5d6eefffa5bf1c6cb891ca6dd75
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/829999e6-94e0-402e-91ea-04a4ceb8b59f/
Parent samples :
a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be
5ad0e5d670206288abccd95bb0e3ff1ee9a889b49423cb5160c7c59912991a0d
521d404952876e51d0cf3a4d0d69e30566406a3a129343d5e53d5d7274f4d3dc
13368bfeba0fbf3160dbbb1155b1439b7fcdb0fb59baef1cc93207821e63465f
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5ad0e5d670206288abccd95bb0e3ff1ee9a889b49423cb5160c7c59912991a0d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:EXE_Vidar_May_2024
Create hunting rule
Author:NDA0E
Description:Detects Vidar payload
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Stealc
Create hunting rule
Author:kevoreilly
Description:Stealc Payload
Rule name:Stealc_unpacked_PulseIntel
Create hunting rule
Author:PulseIntel
Description:Stealc Payload
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Vidar_unpacked_PulseIntel
Create hunting rule
Author:PulseIntel
Description:Vidar Payload
Rule name:Windows_Generic_Threat_2bba6bae
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CoInitializeSecurity
SHELL_APIManipulates System ShellSHELL32.dll::SHFileOperationA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetDriveTypeA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileMappingA
KERNEL32.dll::CreateFileA
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameA
ADVAPI32.dll::GetUserNameA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegGetValueA
ADVAPI32.dll::RegOpenKeyExA

Comments