MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62c09b2435ff52e29a56f8474f6307084383d73ecbf5dc62bd9767a23d50ec39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.Generic


Vendor detections: 15


Intelligence 15 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 62c09b2435ff52e29a56f8474f6307084383d73ecbf5dc62bd9767a23d50ec39
SHA3-384 hash: 22c76ddcc32fc71131c72c0c661c22654f1113cf174b5742e037c8848198e85b60e83fa4e0efe781189df237db58087e
SHA1 hash: 30f528e119e699de15b48ea9365dc07a096a580f
MD5 hash: 0c38e5cacc997db36aeb4678c1ddf3bc
humanhash: island-friend-oven-grey
File name:lem.exe
Download: download sample
Signature Adware.Generic
Create hunting rule
File size:16'570'118 bytes
First seen:2025-02-19 20:00:46 UTC
Last seen:2025-02-20 10:04:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 48aa5c8931746a9655524f67b25a47ef (4 x Adware.Generic, 3 x AsyncRAT, 3 x Vidar)
ssdeep 393216:Pkcbf0j8aPknFM7mqF6WEuDLEXgqqIv1MCNrrPgLX3wRHyNn:ccj0PPknFymqXE8gXKkJrPgL6SZ
Threatray 1 similar samples on MalwareBazaar
TLSH T1C8F6236293C54833E5731B75597A9250AD367A212AF094BE7FB8DF0C1F39A42BD30392
TrID 40.9% (.EXE) Inno Setup installer (107240/4/30)
21.9% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
16.4% (.EXE) InstallShield setup (43053/19/16)
5.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.0% (.EXE) Win64 Executable (generic) (10522/11/4)
Magika pebin
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter skocherhan
Tags:Adware.Generic exe opendir


Avatar
skocherhan
https://book.rollingvideogames.com/temp/lem.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
619
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
lem.exe
Verdict:
Malicious activity
Analysis date:
2025-02-19 20:03:03 UTC
Tags:
delphi inno installer telegram vidar stealer
Link:
https://app.any.run/tasks/cab13284-ee96-4ba0-8c70-d06425c949d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Program.Unwanted.1514.22016.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67b6394ca0fd713c335bd8d6
Tags:
dropper virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Restart of the analyzed sample
Creating a process with a hidden window
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd embarcadero_delphi evasive expand fingerprint installer invalid-signature lolbin obfuscated overlay packed packed regsvr32 runonce scriptrunner signed
Link:
https://www.filescan.io/uploads/67b6388f2efec8f546d23c89/reports/67f462f6-b1c7-4abf-afa1-3bb99a2a5cea/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/62c09b2435ff52e29a56f8474f6307084383d73ecbf5dc62bd9767a23d50ec39
Result
Verdict:
UNKNOWN
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ddaa5d09-4009-4bc2-9f68-773cc94ce8d0
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1619387
Signature
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Monitors registry run keys for changes
Searches for specific processes (likely to inject)
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1619387 Sample: lem.exe Startdate: 19/02/2025 Architecture: WINDOWS Score: 100 79 www.0e0.jp.eu.org 2->79 81 t.me 2->81 105 Suricata IDS alerts for network traffic 2->105 107 Found malware configuration 2->107 109 Antivirus detection for URL or domain 2->109 111 2 other signatures 2->111 12 lem.exe 2 2->12         started        15 msedge.exe 105 622 2->15         started        signatures3 process4 file5 75 C:\Users\user\AppData\Local\Temp\...\lem.tmp, PE32 12->75 dropped 17 lem.tmp 3 14 12->17         started        20 msedge.exe 15->20         started        23 msedge.exe 15->23         started        25 msedge.exe 15->25         started        27 msedge.exe 15->27         started        process6 dnsIp7 65 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 17->65 dropped 67 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 17->67 dropped 69 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 17->69 dropped 71 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 17->71 dropped 29 lem.exe 2 17->29         started        95 18.173.132.98, 443, 50080, 50097 MIT-GATEWAYSUS United States 20->95 97 c-msn-pme.trafficmanager.net 13.74.129.1, 443, 50041 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 20->97 99 29 other IPs or domains 20->99 file8 process9 file10 77 C:\Users\user\AppData\Local\Temp\...\lem.tmp, PE32 29->77 dropped 32 lem.tmp 5 46 29->32         started        process11 file12 57 C:\Users\user\...\Start10ThemeEdit.exe (copy), PE32 32->57 dropped 59 C:\Users\user\AppData\...\xvidcore.dll (copy), PE32+ 32->59 dropped 61 C:\Users\user\...\netstandard.dll (copy), PE32 32->61 dropped 63 63 other files (none is malicious) 32->63 dropped 35 Start10ThemeEdit.exe 46 32->35         started        process13 dnsIp14 89 www.0e0.jp.eu.org 116.202.180.73, 443, 49832, 49842 HETZNER-ASDE Germany 35->89 91 t.me 149.154.167.99, 443, 49825 TELEGRAMRU United Kingdom 35->91 93 127.0.0.1 unknown unknown 35->93 73 C:\ProgramData\hvaa1\ieusjw, PE32+ 35->73 dropped 113 Attempt to bypass Chrome Application-Bound Encryption 35->113 115 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->115 117 Found many strings related to Crypto-Wallets (likely being stolen) 35->117 119 5 other signatures 35->119 40 msedge.exe 2 10 35->40         started        43 chrome.exe 8 35->43         started        46 cmd.exe 35->46         started        file15 signatures16 process17 dnsIp18 121 Monitors registry run keys for changes 40->121 48 msedge.exe 40->48         started        101 192.168.2.5, 443, 49305, 49703 unknown unknown 43->101 103 239.255.255.250 unknown Reserved 43->103 50 chrome.exe 43->50         started        53 conhost.exe 46->53         started        55 timeout.exe 46->55         started        signatures19 process20 dnsIp21 83 play.google.com 142.250.181.238, 443, 49960 GOOGLEUS United States 50->83 85 www.google.com 142.250.186.164, 443, 49912, 49917 GOOGLEUS United States 50->85 87 2 other IPs or domains 50->87
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/62c09b2435ff52e29a56f8474f6307084383d73ecbf5dc62bd9767a23d50ec39
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/62c09b2435ff52e29a56f8474f6307084383d73ecbf5dc62bd9767a23d50ec39/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mlajwjbv75jofgsw7bdu6yyhbbbyhvz6zp25yyv5s5t2epkq5q4q._file
Verdict:
malicious
Label(s):
vidar
Create hunting rule
Similar samples:
62c09b2435ff52e29a56f8474f6307084383d73ecbf5dc62bd9767a23d50ec39
Adware.Generic
error
Adware.Generic
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar credential_access discovery spyware stealer
Link:
https://tria.ge/reports/250219-yrllmszls4/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Uses browser remote debugging
Detect Vidar Stealer
Vidar
Vidar family
Verdict:
Suspicious
Tags:
stealc
YARA:
n/a
Link:
https://app.threat.zone/submission/be7d4232-a9a9-46dc-93ca-b5ddb6d6451e
Unpacked files
SH256 hash:
62c09b2435ff52e29a56f8474f6307084383d73ecbf5dc62bd9767a23d50ec39
MD5 hash:
0c38e5cacc997db36aeb4678c1ddf3bc
SHA1 hash:
30f528e119e699de15b48ea9365dc07a096a580f
Link:
https://www.unpac.me/results/fc8b5c02-2ab9-4b2a-b784-509b9a9b44c2/
SH256 hash:
0a08d5e0f1439e2264cd3412b59ab876559a57636d5cc0318575fa1d5ac7a5de
MD5 hash:
9558cf330f5d822047c9710a09006bb7
SHA1 hash:
ae0288457c5dd29e7cc6f69110628a7ec66dbca2
Link:
https://www.unpac.me/results/fc8b5c02-2ab9-4b2a-b784-509b9a9b44c2/
SH256 hash:
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
MD5 hash:
e4211d6d009757c078a9fac7ff4f03d4
SHA1 hash:
019cd56ba687d39d12d4b13991c9a42ea6ba03da
Link:
https://www.unpac.me/results/fc8b5c02-2ab9-4b2a-b784-509b9a9b44c2/
SH256 hash:
1c6afbd9b85e19530a8166d64a025b8a520a62279ddf34758d58a3b11229dc92
MD5 hash:
48428ee35415a3de5b8d74e652128a1b
SHA1 hash:
fd09e151d522561e83cb74d7ba309ff3f282c527
Link:
https://www.unpac.me/results/fc8b5c02-2ab9-4b2a-b784-509b9a9b44c2/
SH256 hash:
171a47d9ba946ab67f1890c1d1f3a8766d2eda825e69038b10d0b17236b48106
MD5 hash:
495e6abc93b4aabb902697035767bd8a
SHA1 hash:
3f67f0463163ed80bf9c19aa06f541d4cd85f442
Link:
https://www.unpac.me/results/fc8b5c02-2ab9-4b2a-b784-509b9a9b44c2/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/fc8b5c02-2ab9-4b2a-b784-509b9a9b44c2/
SH256 hash:
2ffabb0018d335267d2d0101a41cac7ac7d1aa80956fae91825e46aaa85c0787
MD5 hash:
b1f9d665e52c29972b50d7145d88dce1
SHA1 hash:
df2c67a5c32a19bb110ec8372134522c0dab9ac2
Link:
https://www.unpac.me/results/fc8b5c02-2ab9-4b2a-b784-509b9a9b44c2/
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/62c09b2435ff/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/62c09b2435ff52e29a56f8474f6307084383d73ecbf5dc62bd9767a23d50ec39

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Adware.Generic

Executable exe 62c09b2435ff52e29a56f8474f6307084383d73ecbf5dc62bd9767a23d50ec39

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3445855/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
kernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceW
kernel32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetFileAttributesW
kernel32.dll::FindFirstFileW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments