MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5bba4e58542beedcab8f39962a1ff662607d6d1ed9ddf3388815ad0d95f3a29a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5bba4e58542beedcab8f39962a1ff662607d6d1ed9ddf3388815ad0d95f3a29a
SHA3-384 hash: bfe877a96729052ec57fdad94e8d61dd4cd9b8bcaa86bca0e4360f21661f965d300188d32961f34eb4f04b1e32c14f71
SHA1 hash: 06baa2fd2786e6d95be6b1a71a5f099f7383dd87
MD5 hash: 5f43fac2ca6378a26d2df33b22e5e42e
humanhash: robert-colorado-october-india
File name:5f43fac2ca6378a26d2df33b22e5e42e
Download: download sample
Signature Vidar
Create hunting rule
File size:332'288 bytes
First seen:2023-11-28 14:04:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 611c209f0038ccade413b3ff6a0d65b2 (1 x Vidar)
ssdeep 3072:EsTUCPnSbCZ6h3S90OWgPU5mVou2PF5NfatncxuFlVBZ5/NT0xZz:RUiSXS9ogP1ou2PItncxEBux
Threatray 5 similar samples on MalwareBazaar
TLSH T17E64194393E53D54EA258B728F1FC6EC771EF6518E4A376A5228DE1F00B2176C2A3B11
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 000832c04270a484 (1 x Vidar)
Reporter zbetcheckin
Tags:32 exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
314
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/460949/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lolbin packed shell32
Link:
https://www.filescan.io/uploads/6565f39297dc047c4b948e98/reports/5597a6f5-4c32-4a70-8c49-045d6015d9ba/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/5bba4e58542beedcab8f39962a1ff662607d6d1ed9ddf3388815ad0d95f3a29a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bdaad89a-e873-4179-96de-d1cfe209a293
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1349291
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AntiVM3
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5bba4e58542beedcab8f39962a1ff662607d6d1ed9ddf3388815ad0d95f3a29a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5bba4e58542beedcab8f39962a1ff662607d6d1ed9ddf3388815ad0d95f3a29a/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-11-28 13:11:04 UTC
File Type:
PE (Exe)
Extracted files:
69
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lo5e4wcufpxnzk4phglcuh7wmjqh23i63ho7goeicwwq3fptukna._file
Verdict:
malicious
Similar samples:
1b23847db328a1eb04e93c74451d481cbbaa4d7110fe87440b203a9dad36199a
Vidar
5bba4e58542beedcab8f39962a1ff662607d6d1ed9ddf3388815ad0d95f3a29a
Vidar
8a59a0e9b326966e4fb7353078bf82b765df754e575a3bfe3bb44220ffb41116
Vidar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/231128-rdtlrsad32/
Behaviour
Modifies system certificate store
Program crash
Unpacked files
SH256 hash:
8207e68e8a9269492006e65d72acafeb0a7266b8df13751f54a793640c6015c3
MD5 hash:
7e1cd675a6888b8ecdac3e56505b923d
SHA1 hash:
6d5419a92d768351010655741dbec64a2970071e
Detections:
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Link:
https://www.unpac.me/results/61a2ea2c-e04e-4139-af5b-a88958c2cb2e/
Parent samples :
5bba4e58542beedcab8f39962a1ff662607d6d1ed9ddf3388815ad0d95f3a29a
1b5b2846fe02fa318dd6f82439d4826948cbfc4d7245a8267ac37605bd094885
cfa7e9a5e2ebccf9086d41007f2612d7aee348f17ff75b0ec093d3f5c5436e6f
543d0a85398762fdf5d155fb14833257aa09fcc86da9e789dffbbdd29ff2240f
2d44c1db05b8ef6f956fda08bcd3d9dda6dbebde688a642cde3d5092a4ef8764
SH256 hash:
5bba4e58542beedcab8f39962a1ff662607d6d1ed9ddf3388815ad0d95f3a29a
MD5 hash:
5f43fac2ca6378a26d2df33b22e5e42e
SHA1 hash:
06baa2fd2786e6d95be6b1a71a5f099f7383dd87
Link:
https://www.unpac.me/results/61a2ea2c-e04e-4139-af5b-a88958c2cb2e/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5bba4e58542b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5bba4e58542beedcab8f39962a1ff662607d6d1ed9ddf3388815ad0d95f3a29a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 5bba4e58542beedcab8f39962a1ff662607d6d1ed9ddf3388815ad0d95f3a29a

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/460949/
  
URLhaus
https://urlhaus.abuse.ch/url/2735975/

Comments


Avatar
zbet commented on 2023-11-28 14:04:06 UTC

url : hxxps://gobo30cl.top/build.exe