MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 744297bcd2d98c191d2263429548c914851928288d74cf65965c30c8d261ce4f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 13

Intelligence 13 IOCs YARA 14 File information Comments

SHA256 hash:	744297bcd2d98c191d2263429548c914851928288d74cf65965c30c8d261ce4f
SHA3-384 hash:	18ea897de545b9068db613f46fc70c7d571ff0a689d95324c4efbf1efef1c1581f8443eb607c1a97a07bfaf561d29e41
SHA1 hash:	b6e5b0a3560f682e632a2e64e33cd754587d0663
MD5 hash:	40786afd529fa3505744f1c1f61b7781
humanhash:	march-california-south-ack
File name:	file
Download:	download sample
Signature	Vidar Create hunting rule
File size:	244'224 bytes
First seen:	2024-02-29 09:20:51 UTC
Last seen:	2024-02-29 11:15:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f8908c7cc4201a5ad049f35594953f36 (1 x Vidar)
ssdeep	3072:4y/oHYc5GQbPS5aJ2s25tLWu53r01t8HIzqkH3Ni+zouhMBzJvZ9Kj9jIpqAWrod:7IBG+SIJwtLWu53cfUuKBtZ9gJFAWmI
TLSH	T10634D021F2D2C831D7A70534B874D6B00A7ABBF22975428F77643B6A5E712C01A38F76
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 15.9% (.EXE) Win32 Executable (generic) (4504/4/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	64d29a9889a9a989 (2 x Stealc, 1 x Vidar, 1 x LummaStealer)
Reporter	Bitsight
Tags:	exe vidar

Bitsight

url: https://vk.com/doc329118071_675406576?hash=eZTUwKWKWsPvybP6qbb5CRvCUbk04jz0FY3OgKEzuzP&dl=RETDfxfOLs4jUFgBEQmWLRotseCM3fh9Iw8MTCwXmT0&api=1&no_preview=1#gt

Intelligence

File Origin

# of uploads :

# of downloads :

317

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Win32.DropperX-gen.8772.17607.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fingerprint packed vidar

Link:

https://www.filescan.io/uploads/65e04c80d529a676e565f8d8/reports/c73ee7be-c7d8-4e21-9cc3-8fa593a4be74/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/744297bcd2d98c191d2263429548c914851928288d74cf65965c30c8d261ce4f

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Vidar

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f609a4ff-88e3-4fa8-bebf-43ab2ded15bc

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1400786

Signature

C2 URLs / IPs found in malware configuration

Country aware sample found (crashes after keyboard check)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Searches for specific processes (likely to inject)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/744297bcd2d98c191d2263429548c914851928288d74cf65965c30c8d261ce4f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/744297bcd2d98c191d2263429548c914851928288d74cf65965c30c8d261ce4f/

Threat name:

Win32.Trojan.Smokeloader

Status:

Malicious

First seen:

2024-02-29 06:36:33 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 24 (95.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=orbjppgs3ggbshjcmnbjksgjcscrskbirv2m6zmwlqymrutbzzhq._file

Verdict:

malicious

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:b8a5ebfe4a0abceff8d2cd1a6c6c4024 stealer

Link:

https://tria.ge/reports/240229-lbbehscd6v/

Behaviour

Modifies system certificate store

Program crash

Detect Vidar Stealer

Vidar

Malware Config

C2 Extraction:

https://steamcommunity.com/profiles/76561199644883218
https://t.me/neoschats

Unpacked files

SH256 hash:

617932fa32314688174aaccca724492e5106c6a2cd3460de991a9b6669e23eaa

MD5 hash:

64be4169f79475fd2b2f42d6a02749be

SHA1 hash:

20fa348c71aa7272d157b5c44e559190b4571662

Detections:

VidarStealer

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

Link:

https://www.unpac.me/results/a975c4fe-efe8-4bf0-969f-e0fc3a58ebaa/

Parent samples :

17bf11baccfc41056deed1f7658ca2183c34cff636c9372b1ecb812cdb4efea2
65429cc8e058b11f92e4fe5f36528aef791097679d0984b977f47c6ef936ad64
b1e5bd12279ecaf63aa22e082d6e833d8137d35ee32f87d2798e30e51a91367c
81325d0c1a73cad7402d2020c15304cba466ecc7919061cd16762f655019c038
74c513cfcefe956a1ebe5c7196d31319580523c277333b59816ed48456ed75b5
aec37f0045fb7091d04f8eedd38d171debaec8225d344a8050cea1c31b435e74
744297bcd2d98c191d2263429548c914851928288d74cf65965c30c8d261ce4f
a183934f8e5161ab94c2bd78598b6138b3990a3a2c55b82fa5a7137be3cf6f72
28c2e53d3c42ec59ffb971a46d10bf54f29917e9e32af1d7a76956045726c5e6

SH256 hash:

744297bcd2d98c191d2263429548c914851928288d74cf65965c30c8d261ce4f

MD5 hash:

40786afd529fa3505744f1c1f61b7781

SHA1 hash:

b6e5b0a3560f682e632a2e64e33cd754587d0663

Link:

https://www.unpac.me/results/a975c4fe-efe8-4bf0-969f-e0fc3a58ebaa/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/744297bcd2d98c191d2263429548c914851928288d74cf65965c30c8d261ce4f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_Dlls Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	has_telegram_urls Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of MFA browser extension IDs.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	QbotStuff Create hunting rule
Author:	anonymous

Rule name:	Windows_Generic_Threat_c374cd85 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

exe 744297bcd2d98c191d2263429548c914851928288d74cf65965c30c8d261ce4f

(this sample)

Dropped by

Privateloader

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2771729/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample