MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65429cc8e058b11f92e4fe5f36528aef791097679d0984b977f47c6ef936ad64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65429cc8e058b11f92e4fe5f36528aef791097679d0984b977f47c6ef936ad64
SHA3-384 hash: 08e4ae47304619ff382043c71df5051ecb45ccba44fca5d70121602a720915d0b4a21bce45888c98b36a330991808875
SHA1 hash: 9b4abcc38dda3f2aa0ff93e5c3f04f699d71e150
MD5 hash: 7cf1a4393de6086619313a698939ab0f
humanhash: ink-summer-december-nebraska
File name:7cf1a4393de6086619313a698939ab0f
Download: download sample
Signature Vidar
Create hunting rule
File size:293'376 bytes
First seen:2024-02-27 18:50:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 75cf619e864f9ec1d38846217c5932d0 (2 x Vidar, 1 x GCleaner)
ssdeep 3072:Yfdd36gaMzDQpJwi6cGOHbIeMqvGZKaSpdtpXuTn/RLXvq56sBG:k6qCJD6cGOHvXvIKa6Hyn/RjV
TLSH T15354E09276B3C47AC97B04314A20CA741EBFB8315A78C18737A4D66F8E307D09B9E356
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.1% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0a220a1202121200 (1 x Vidar)
Reporter zbetcheckin
Tags:32 exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
372
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
65429cc8e058b11f92e4fe5f36528aef791097679d0984b977f47c6ef936ad64.zip
Verdict:
Malicious activity
Analysis date:
2024-02-28 07:44:22 UTC
Tags:
vidar
Link:
https://app.any.run/tasks/5a080a7c-24cd-4e9d-a958-427643829d19

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/478045/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Сreating synchronization primitives
Behavior that indicates a threat
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint packed
Link:
https://www.filescan.io/uploads/65de2edbc5e1a083fbface05/reports/191bba7a-1c9b-4be6-b857-05ca118c736b/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/65429cc8e058b11f92e4fe5f36528aef791097679d0984b977f47c6ef936ad64
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0a9ac0dd-2dde-45d1-a682-154379a4f2b3
Result
Threat name:
Phonk Miner, PureLog Stealer, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1399847
Signature
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Searches for specific processes (likely to inject)
Self deletion via cmd or bat file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected AntiVM3
Yara detected Phonk Miner
Yara detected PureLog Stealer
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1399847 Sample: ihSwZOgViq.exe Startdate: 27/02/2024 Architecture: WINDOWS Score: 100 38 steamcommunity.com 2->38 40 nacionalveiculos.com 2->40 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for dropped file 2->52 54 11 other signatures 2->54 9 ihSwZOgViq.exe 2->9         started        signatures3 process4 signatures5 64 Detected unpacking (changes PE section rights) 9->64 66 Detected unpacking (overwrites its own PE header) 9->66 68 Self deletion via cmd or bat file 9->68 70 3 other signatures 9->70 12 ihSwZOgViq.exe 38 9->12         started        process6 dnsIp7 42 nacionalveiculos.com 177.234.152.236, 443, 49754 LEVEL3US Brazil 12->42 44 65.109.240.92, 443, 49730, 49731 ALABANZA-BALTUS United States 12->44 46 steamcommunity.com 104.71.182.190, 443, 49729 AKAMAI-ASUS United States 12->46 30 C:\Users\user\AppData\...\softokn3[1].dll, PE32 12->30 dropped 32 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 12->32 dropped 34 C:\Users\user\AppData\...\mozglue[1].dll, PE32 12->34 dropped 36 12 other files (8 malicious) 12->36 dropped 72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->72 74 Found many strings related to Crypto-Wallets (likely being stolen) 12->74 76 Self deletion via cmd or bat file 12->76 78 5 other signatures 12->78 17 cmd.exe 1 12->17         started        19 cmd.exe 1 12->19         started        file8 signatures9 process10 process11 21 EHCFBFBAEB.exe 1 17->21         started        24 conhost.exe 17->24         started        26 conhost.exe 19->26         started        28 timeout.exe 1 19->28         started        signatures12 56 Antivirus detection for dropped file 21->56 58 Detected unpacking (changes PE section rights) 21->58 60 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->60 62 3 other signatures 21->62
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/65429cc8e058b11f92e4fe5f36528aef791097679d0984b977f47c6ef936ad64
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/65429cc8e058b11f92e4fe5f36528aef791097679d0984b977f47c6ef936ad64/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2024-02-27 18:51:05 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mvbjzshalcyr7exe7zptmuuk554rbf3htueyjolx6r6g56jwvvsa._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:b8a5ebfe4a0abceff8d2cd1a6c6c4024 stealer
Link:
https://tria.ge/reports/240227-xgw4ysgf65/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Detect Vidar Stealer
Vidar
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199644883218
https://t.me/neoschats
Unpacked files
SH256 hash:
617932fa32314688174aaccca724492e5106c6a2cd3460de991a9b6669e23eaa
MD5 hash:
64be4169f79475fd2b2f42d6a02749be
SHA1 hash:
20fa348c71aa7272d157b5c44e559190b4571662
Detections:
VidarStealer
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Link:
https://www.unpac.me/results/c3687363-6139-413f-b80c-991fb735ddf0/
Parent samples :
17bf11baccfc41056deed1f7658ca2183c34cff636c9372b1ecb812cdb4efea2
65429cc8e058b11f92e4fe5f36528aef791097679d0984b977f47c6ef936ad64
b1e5bd12279ecaf63aa22e082d6e833d8137d35ee32f87d2798e30e51a91367c
81325d0c1a73cad7402d2020c15304cba466ecc7919061cd16762f655019c038
74c513cfcefe956a1ebe5c7196d31319580523c277333b59816ed48456ed75b5
aec37f0045fb7091d04f8eedd38d171debaec8225d344a8050cea1c31b435e74
744297bcd2d98c191d2263429548c914851928288d74cf65965c30c8d261ce4f
a183934f8e5161ab94c2bd78598b6138b3990a3a2c55b82fa5a7137be3cf6f72
28c2e53d3c42ec59ffb971a46d10bf54f29917e9e32af1d7a76956045726c5e6
SH256 hash:
65429cc8e058b11f92e4fe5f36528aef791097679d0984b977f47c6ef936ad64
MD5 hash:
7cf1a4393de6086619313a698939ab0f
SHA1 hash:
9b4abcc38dda3f2aa0ff93e5c3f04f699d71e150
Link:
https://www.unpac.me/results/c3687363-6139-413f-b80c-991fb735ddf0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/65429cc8e058b11f92e4fe5f36528aef791097679d0984b977f47c6ef936ad64

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_Dlls
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
Rule name:Windows_Generic_Threat_c374cd85
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 65429cc8e058b11f92e4fe5f36528aef791097679d0984b977f47c6ef936ad64

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/478045/
  
URLhaus
https://urlhaus.abuse.ch/url/2771729/

Comments


Avatar
zbet commented on 2024-02-27 18:50:02 UTC

url : hxxps://147.45.44.18/soft.exe