MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6cefcdfd1df7b64b7312d9d2d418a7f0e61c6b952c7f653d12db7e05a20089fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6cefcdfd1df7b64b7312d9d2d418a7f0e61c6b952c7f653d12db7e05a20089fd
SHA3-384 hash: 078686b50077cd37dda93bfd8d6d6ef7f22471aecc6378acd884e3e1677599c34fc17ac5cef881170281da8ce698de2a
SHA1 hash: 9e2a6d80ad57ffde78f098a65d08fb2f91a4886e
MD5 hash: 790cf3533d356e1d099acdbbfdacf0dd
humanhash: one-washington-avocado-indigo
File name:Route Maps.zip
Download: download sample
Signature Vidar
Create hunting rule
File size:1'213'656 bytes
First seen:2023-06-05 16:40:43 UTC
Last seen:Never
File type: zip
MIME type:application/zip
Note:This file is a password protected archive. The password is: infected
ssdeep 24576:emczMA2JGH2lQatgAPYfYlFU9wim1Hd8BXuZWLseaPhb1CIbiFu9:A8J2WFrKYlFUK312BXcWLghbkIf9
TLSH T10A4533A357DC33ADCE73260A92847D61594E701951F6CA0CEA9DCAFC2F8974D22B64CC
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter SquiblydooBlog
Tags:file-pumped vidar zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
178
Origin country :
US US
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Route Maps.malz
Pumped file This file is pumped. MalwareBazaar has de-pumped it.
File size:774'876'632 bytes
SHA256 hash: 84bfaeb9b8dd2dc8b5828c44d9fe482892148911784f7ba04731fca73b7d7b93
MD5 hash: 8f0688799099cf910ab2682a05157353
De-pumped file size:868'352 bytes (Vs. original size of 774'876'632 bytes)
De-pumped SHA256 hash: 8d3e320986a26c0f3b7e2f6e46e1694eafe37470e85a3acae65c7d4943beba3c
De-pumped MD5 hash: 6b9ed61096babd0c10ac15f054d149a8
MIME type:application/x-dosexec
Signature Vidar
Vendor Threat Intelligence
Result
Verdict:
Malicious
File Type:
ZIP File - Malicious
Link:
https://app.docguard.net/6cefcdfd1df7b64b7312d9d2d418a7f0e61c6b952c7f653d12db7e05a20089fd/results/dashboard
Behaviour
SuspiciousEmbeddedObjects detected
Gathering data
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/6cefcdfd1df7b64b7312d9d2d418a7f0e61c6b952c7f653d12db7e05a20089fd
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/6cefcdfd1df7b64b7312d9d2d418a7f0e61c6b952c7f653d12db7e05a20089fd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6cefcdfd1df7b64b7312d9d2d418a7f0e61c6b952c7f653d12db7e05a20089fd/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ntx437i5663ew4ys3hjnigfh6dtby24vfr7wkpis3n7aliqarh6q._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:875 stealer
Link:
https://tria.ge/reports/230605-wgaehsaa32/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Vidar
Malware Config
C2 Extraction:
https://t.me/litlebey
https://steamcommunity.com/profiles/76561199472399815
http://157.90.148.112:80
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/6cefcdfd1df7b64b7312d9d2d418a7f0e61c6b952c7f653d12db7e05a20089fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:weird_zip_high_compression_ratio
Create hunting rule
Author:Maxime THIEBAUT (@0xThiebaut)
Description:Detects single-entry ZIP files with a suspiciously high compression ratio (>100:1) and decompressed size above the 500MB AV limit
Reference:https://twitter.com/Cryptolaemus1/status/1633099154623803394

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments