MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ed10ccc014106f1ab80bf018eea27a3858c9ac7198b11fbe3a3d622146f4928. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 15

Intelligence 15 IOCs YARA 4 File information Comments

SHA256 hash:	6ed10ccc014106f1ab80bf018eea27a3858c9ac7198b11fbe3a3d622146f4928
SHA3-384 hash:	d38e4452c45010d1ff5336ca27f680f3832cecd1a3560618a23f075c9f915267499f304555eea3cfce7f36707d348b83
SHA1 hash:	01afdef860a44d2e20b2aaa88c1b600bf92adcee
MD5 hash:	42404c1b1bb4a61648984542ab9ba2c4
humanhash:	six-lake-connecticut-pennsylvania
File name:	file.exe
Download:	download sample
Signature	Vidar Create hunting rule
File size:	414'208 bytes
First seen:	2023-05-07 07:17:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7781d7f71fc1006ff6cb3831417c4bb2 (1 x TeamBot, 1 x Vidar)
ssdeep	12288:ajKHij00PkgrNeH77a575GA8hLzuwFg6cK:A9j0/gr0k7gbhuW
TLSH	T1E694BF137790B971E6274A318E2EC6F47A2EFCA18F5566DB1748AE1F09702F1C672312
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0010184249200000 (1 x Vidar)
Reporter	abuse_ch
Tags:	exe vidar

Intelligence

File Origin

# of uploads :

# of downloads :

268

Origin country :

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-05-06 12:23:02 UTC

Tags:

opendir loader stealer vidar trojan evasion arkei rat redline smoke

Link:

https://app.any.run/tasks/ab9c6876-e767-48a6-b077-3a73b7053cdf

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/387242/

Detection(s):

Win.Packed.Babar-10001332-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Using the Windows Management Instrumentation requests

Creating a window

Searching for synchronization primitives

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/645750ac1c5e67171206faa3/reports/6f3bf139-a480-40c4-b3cd-8cd261737f7f/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/6ed10ccc014106f1ab80bf018eea27a3858c9ac7198b11fbe3a3d622146f4928

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fd3e3ea5-b57f-4a6e-8534-8b7ac2b504eb

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1227687

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6ed10ccc014106f1ab80bf018eea27a3858c9ac7198b11fbe3a3d622146f4928/

Threat name:

Win32.Trojan.SmokeLoader

Status:

Malicious

First seen:

2023-05-06 11:32:57 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 36 (77.78%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=n3iqztabiedpdk4ax4ay52rhuocyzgwhdgfrd67duplcefdpjeua._file

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:513feb73bb915cb59c141e76e5b64dfd discovery spyware stealer

Link:

https://tria.ge/reports/230507-h4yhzadb65/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Vidar

Malware Config

C2 Extraction:

https://steamcommunity.com/profiles/76561199501059503
https://t.me/mastersbots

Unpacked files

SH256 hash:

eaf2edaa3fe54b29dfa01943361562dff47387a1888653e61c78675c566bc004

MD5 hash:

53119f728fd6c36d21b73873fdb65279

SHA1 hash:

f1043295872ba35a6fc52bec2ce02dab02882e1a

Detections:

VidarStealer

Link:

https://www.unpac.me/results/202fd955-6322-430a-b980-4e1092ab0825/

Parent samples :

0da9becd4c6f6af2eb648a057cefb53d17cb2f468503a77d49d5e5f63d16d30c
6ed10ccc014106f1ab80bf018eea27a3858c9ac7198b11fbe3a3d622146f4928

SH256 hash:

6ed10ccc014106f1ab80bf018eea27a3858c9ac7198b11fbe3a3d622146f4928

MD5 hash:

42404c1b1bb4a61648984542ab9ba2c4

SHA1 hash:

01afdef860a44d2e20b2aaa88c1b600bf92adcee

Link:

https://www.unpac.me/results/202fd955-6322-430a-b980-4e1092ab0825/

Malware family:

Vidar.A

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6ed10ccc0141/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6ed10ccc014106f1ab80bf018eea27a3858c9ac7198b11fbe3a3d622146f4928

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	has_telegram_urls Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	Telegram_Links Create hunting rule

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/387242/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample