MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957
SHA3-384 hash:	d7fa740b376b9a680a7c1dd792e2ab85dd2c3ede405f2d4c10159f7c4cbc6cc828ac52d7057de874bd9ec64473fc34b7
SHA1 hash:	c728d9c975e8e2562210da21ca9a43f8a12c21aa
MD5 hash:	f1e756b85ee7ddbd40d3a4213956c693
humanhash:	carolina-robin-snake-friend
File name:	f1e756b85ee7ddbd40d3a4213956c693.exe
Download:	download sample
Signature	Vidar Create hunting rule
File size:	324'608 bytes
First seen:	2023-10-05 08:57:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7bf0c3cbf0d3960e40b75bc830477f17 (6 x Stealc, 5 x Smoke Loader, 3 x Tofsee)
ssdeep	6144:neX652Eet/FA1qB5W4NduL7WImMO0lJCr02:nn527t/FAEBDNgLaeO0l0r02
Threatray	15 similar samples on MalwareBazaar
TLSH	T1AF64F22172B2C4B1E6F216784834DB80BE7F747329B9859F3715066E6E613D29EA3307
TrID	38.6% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 29.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	040404020c602000 (1 x Vidar)
Reporter	abuse_ch
Tags:	exe vidar

Intelligence

File Origin

# of uploads :

# of downloads :

282

Origin country :

Vendor Threat Intelligence

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/651e7a9abe42b2ac8e5c0bce/reports/9b0d4d45-9238-4731-8cc7-70cef80c24d9/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/f96da91d-982e-4d79-a792-d3dd4bc6bba5

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1320046

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Creates HTML files with .exe extension (expired dropper behavior)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Self deletion via cmd or bat file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957/

Threat name:

Win32.Trojan.Smokeloader

Status:

Malicious

First seen:

2023-10-04 22:10:37 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

29 of 35 (82.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pbvzipcuiexkcnq4z2zmy4wtqd7rblgbwycnolbmpeoxvwfulflq._file

Verdict:

malicious

Vidar

34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40

Vidar

556f8b06b92ddbc4008dea5298eab3934c61647a1cd7333a9087c37cc5a75456

Vidar

5b4bced547eb17aa796a64c58e89f9d96e56edab6596e02ec13801bf5d452b97

Vidar

e065676a6d3fd822fed9b2a99771a1355035f63873142fa3999cb69659a984d8

Vidar

e0f76fec46d5a367fdec67bfef123cb3ab7c6d7edf2efd14ba4c9b635dc6e34b

Vidar

+ 5 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:4841d6b1839c4fa7c20ecc420b82b347 discovery spyware stealer

Link:

https://tria.ge/reports/231005-kw59ysbg34/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Accesses 2FA software files, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Vidar

Malware Config

C2 Extraction:

https://steamcommunity.com/profiles/76561199557479327
https://t.me/grizmons

Unpacked files

SH256 hash:

d61bfabd8555467af57a3c236d7d770d3739ded5d4a2de4199f9f0314b644097

MD5 hash:

5c769480b3e2b9e64dec1bc40556fe56

SHA1 hash:

26a6b55d2bc5802fe9395dd2ea9252ff53e5d037

Detections:

VidarStealer

Link:

https://www.unpac.me/results/4a0c9b7c-3706-49e1-980e-2b3b37f27a06/

SH256 hash:

786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957

MD5 hash:

f1e756b85ee7ddbd40d3a4213956c693

SHA1 hash:

c728d9c975e8e2562210da21ca9a43f8a12c21aa

Link:

https://www.unpac.me/results/4a0c9b7c-3706-49e1-980e-2b3b37f27a06/

Malware family:

Vidar.A

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/786b943c5441/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample