MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 784bb9d5ac9ba16cbfb56d482be25437effc2cca13120d5947782d7f1974ae46. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 784bb9d5ac9ba16cbfb56d482be25437effc2cca13120d5947782d7f1974ae46
SHA3-384 hash: 11a9604f24f422558155687d6f1be31d4bd2e4f6c8c0772a89d4bd55c72c3368d68b86cd56853fee32098674989c58d4
SHA1 hash: 13934340b86a525340e1b020fa87ae4347b0232a
MD5 hash: 1653c6e48dc26b080754dc104beef94a
humanhash: orange-maryland-nuts-uranus
File name:Loader.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:453'120 bytes
First seen:2023-04-08 00:53:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a0e60cc838fd0f681073acc8737e4ec0 (4 x RedLineStealer, 2 x Vidar)
ssdeep 6144:yjWJy5sBMxsNixbVvPxx7GcJac212xorx+gp4FWDpnuUgMavx7tedhpW9:wWJwsNiLvZLw2usgp4FWD9gNEW
Threatray 1'203 similar samples on MalwareBazaar
TLSH T105A4D04331DA2021D472D3F780F2F25E12EE696133ED29DB36D8E05F5D191612AACE6E
TrID 39.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.5% (.SCR) Windows screen saver (13097/50/3)
13.3% (.EXE) Win64 Executable (generic) (10523/12/4)
8.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter Chainskilabs
Tags:exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
286
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
Loader.exe
Verdict:
Malicious activity
Analysis date:
2023-04-08 00:55:05 UTC
Tags:
stealer vidar trojan
Link:
https://app.any.run/tasks/a8bc8d0a-1deb-4a94-9371-a6d33be8123f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/380831/
Detection(s):
SecuriteInfo.com.Variant.Zusy.456639.4509.18371.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/76948/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6430baeebf68c1790afaf1d1/reports/d7ef9a6a-fb47-4d3f-a56f-1d20ef90b24f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/784bb9d5ac9ba16cbfb56d482be25437effc2cca13120d5947782d7f1974ae46
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d03237dd-bfea-433d-b4d5-f1c1ea811533
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1210494
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/784bb9d5ac9ba16cbfb56d482be25437effc2cca13120d5947782d7f1974ae46/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-04-08 00:54:06 UTC
File Type:
PE (Exe)
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pbf3tvnmtoqwzp5vnvecxysug7x7ylgkcmja2wkhpawx6gluvzda._file
Verdict:
malicious
Similar samples:
12f6e0e9adea28f0619bddd3a51515af45ddfd29f545b21e93c69edffe69fdc1
Vidar
3938e9e23562cf722e3bb98f6289351ff1ce0938f65177d3b581de5c763e90c4
Vidar
4240b655ed2af5ae8873b49e2e2d204383b2fd675c21f02527a9a4d9b719cd49
Vidar
7cf4bbf990447d72bd9d0ba0a19d824f8b598b4a8759cec8e53f92c2db9a221b
Vidar
82515bb4fb5f3c67b48addca1f08cc2465690f8fac991ea30c68ceceba22a1d3
Vidar
c73c5027ec11576250105ea0664c33a51f3a19901c6bcbfd84d88c94f3482435
Vidar
d3f3ea77ce48cf9b66dd2e067f8c7555b1b1ba5d8cb3f61a91ce68db5a8e8e7e
Vidar
e31e544efa2ec5206c6e96340a4d85282ac0dfce7f96134965c2f576a71d07d6
Vidar
efcb0595cb5b73f253ee68105e2c5d10893b080b77a744cbef4dc33018a49e9d
Vidar
+ 1'193 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:d9392a3a92e0111477748be7138e1491 spyware stealer upx
Link:
https://tria.ge/reports/230408-a8mm9sdb9z/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Downloads MZ/PE file
Vidar
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199492257783
https://t.me/justsometg
Unpacked files
SH256 hash:
055c7946ca1bc7496fba6171f3c670231d6800a48ecd9e1695148460cf187d58
MD5 hash:
7f1219f1dccbbea067dfc418dd23edb1
SHA1 hash:
4d1ee0bed20f6dc4e517a692ebb328c1621e9496
Link:
https://www.unpac.me/results/45f19d6a-3f93-4a9f-af5d-edd80ee950f5/
SH256 hash:
784bb9d5ac9ba16cbfb56d482be25437effc2cca13120d5947782d7f1974ae46
MD5 hash:
1653c6e48dc26b080754dc104beef94a
SHA1 hash:
13934340b86a525340e1b020fa87ae4347b0232a
Link:
https://www.unpac.me/results/45f19d6a-3f93-4a9f-af5d-edd80ee950f5/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/784bb9d5ac9b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/784bb9d5ac9ba16cbfb56d482be25437effc2cca13120d5947782d7f1974ae46

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:Telegram_Links
Create hunting rule
Rule name:win_vidar_a_6118
Create hunting rule
Author:Johannes Bader
Description:detect unpacked Vidar samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 784bb9d5ac9ba16cbfb56d482be25437effc2cca13120d5947782d7f1974ae46

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/380831/

Comments