MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76d3b8781abaea750616e4993cdc85696fb12b5d0afb7ef66853f604d141758f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 16

Intelligence 16 IOCs YARA 1 File information Comments

SHA256 hash:	76d3b8781abaea750616e4993cdc85696fb12b5d0afb7ef66853f604d141758f
SHA3-384 hash:	6fa72cf8af7b80cb36fd728d7e1acf1ab8ca75b09951614ddb430a71c6f8744fa05803f2450736d2a594eda1a651bb62
SHA1 hash:	22e86ec447a074098e19e3f686c373dc53aaf9f3
MD5 hash:	a32ee68cab7021ae6aa6e16e8b70a9b3
humanhash:	harry-idaho-speaker-oklahoma
File name:	a32ee68cab7021ae6aa6e16e8b70a9b3.exe
Download:	download sample
Signature	Vidar Create hunting rule
File size:	330'240 bytes
First seen:	2023-02-21 14:19:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	471967c5dfd2336871d1f235e7099fa4 (1 x Vidar)
ssdeep	6144:4SQDLbYaw8NPIXh+FjImhk0oV1a09pvIVrh20HpDPIXbwLvw:0D3Yj8ZDFlhkDV17Arh7BIcLvw
Threatray	1'160 similar samples on MalwareBazaar
TLSH	T10B64F11075A0C1B1D99A46748425FAE96D7BBE306A34D9CB37A4237E0F303D19A363DE
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	411ede8286a6aa88 (1 x Vidar)
Reporter	abuse_ch
Tags:	exe vidar

Intelligence

File Origin

# of uploads :

# of downloads :

221

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

stop

ID:

File name:

00f4a48364a6b7dda4bf98e3847fd94c.exe

Verdict:

Malicious activity

Analysis date:

2023-02-21 11:15:42 UTC

Tags:

trojan loader ransomware stop stealer vidar

Link:

https://app.any.run/tasks/0150e382-7f5b-422f-abd2-e8d84394acd6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/368681/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Using the Windows Management Instrumentation requests

Running batch commands

Creating a process with a hidden window

Launching a process

Stealing user critical data

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/71984/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CPUID_Instruction

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/63f4d316b53d126ad2635d83/reports/1f26e907-50f0-470f-97e5-f5829ff89da2/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/76d3b8781abaea750616e4993cdc85696fb12b5d0afb7ef66853f604d141758f

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a04cba0e-e94f-4321-b79b-ffdfa7adb3f1

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1179817

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Self deletion via cmd or bat file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/76d3b8781abaea750616e4993cdc85696fb12b5d0afb7ef66853f604d141758f/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2023-02-20 16:27:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 23 (95.65%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=o3j3q6a2xlvhkbqw4smtzxefnfx3ck25bl5x55tikp3ajukbowhq._file

Verdict:

malicious

Vidar

9a58dd63b51866541d91a5bae6260c27aeec7a4135cd67a6fb686f549d3646a6

Vidar

9b7b45434353b99f97d33f44e225e71b9c164cd21ae56335c078cca20ae29c1d

Vidar

9f1ea67ba5281a92142a5daf50f99030fa7778ffeaf2a33c109a4bc95daeb453

Vidar

a97e9b6b2d782625ccd00a2177e55c75f6e6dc87d9a33655e521ded0369b5306

Vidar

bf566a0e924a5567391242c61c0070a09ee3bca04a02e4f0170040b90e5b73e5

Vidar

d254183803aaa2a5ab7118f423809013bf0e5fc1766bb37beaea2ce1e0acfa61

Vidar

e661e53f429cd22e30ca6fb368f3e011e76264892f4e718c75cb3636f4f2e611

Vidar

eddd58f52fc1ead5886f788892412d23a0fa5fc4c76af2548ea7321c2f6c4d9c

Vidar

+ 1'150 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:19 discovery spyware stealer

Link:

https://tria.ge/reports/230221-rne65aha3s/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Vidar

Unpacked files

SH256 hash:

7d10a00217b90157871844f702d8911d68f858cf5ffadd3fd3eb9519ecdd5c7d

MD5 hash:

00f7ad2209578c94160b43a88ca7c40c

SHA1 hash:

6476c4765faea6059cecf60480cf9d140ea7a091

Detections:

VidarStealer

Link:

https://www.unpac.me/results/60f30074-f5b5-47ac-9ec7-bff5de6947dc/

SH256 hash:

76d3b8781abaea750616e4993cdc85696fb12b5d0afb7ef66853f604d141758f

MD5 hash:

a32ee68cab7021ae6aa6e16e8b70a9b3

SHA1 hash:

22e86ec447a074098e19e3f686c373dc53aaf9f3

Link:

https://www.unpac.me/results/60f30074-f5b5-47ac-9ec7-bff5de6947dc/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/76d3b8781aba/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/76d3b8781abaea750616e4993cdc85696fb12b5d0afb7ef66853f604d141758f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/368681/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample