MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ed279a6de558b31e93b310ca21564c42431fea11bb55794f8c28126dc1fe1fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ed279a6de558b31e93b310ca21564c42431fea11bb55794f8c28126dc1fe1fd
SHA3-384 hash: 06dc1e6ed9811cae188f19379251a8a2fcf4843fde0617b981f7359de297d00a29e3ac41045f8a453ab7bb78b70bd6c3
SHA1 hash: a78a0c627e1d469cb5404a41f07c2d3a38840bad
MD5 hash: 58f16cc21973f83ce13d2b4271d39b42
humanhash: fanta-wisconsin-coffee-fanta
File name:58f16cc21973f83ce13d2b4271d39b42.bin
Download: download sample
Signature Vidar
Create hunting rule
File size:1'176'064 bytes
First seen:2023-04-03 18:02:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4016f2b03c0f5699dd2622a67d892424 (1 x Vidar)
ssdeep 12288:gF3xilhpL6Igw0Ev5tKvhurIfqiJaXpEt8labCis:oxSrL6Iz0+wTJaXpEhCis
Threatray 2 similar samples on MalwareBazaar
TLSH T11B45021171C1D430E9B21A3109B0EBF55A7DF8304F74AD9FB7891A7A5E702D0AB29D2B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:bin exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
58f16cc21973f83ce13d2b4271d39b42.bin
Verdict:
Malicious activity
Analysis date:
2023-04-03 18:04:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c34b3e5b-5d86-4c4a-87cb-2d0c1c81e8cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/379764/
Detection(s):
SecuriteInfo.com.Variant.Ser.Zusy.4125.15578.25320.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
anti-vm greyware packed
Link:
https://www.filescan.io/uploads/642b14da35c10d8aaf2889c4/reports/a6cc4522-d083-47e0-9839-54c6e400f4d8/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/7ed279a6de558b31e93b310ca21564c42431fea11bb55794f8c28126dc1fe1fd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/475541ca-67b4-416e-8804-41aeec890475
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1207343
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 840257 Sample: RhgHarGODi.exe Startdate: 03/04/2023 Architecture: WINDOWS Score: 100 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected Vidar stealer 2->48 50 C2 URLs / IPs found in malware configuration 2->50 52 Machine Learning detection for sample 2->52 9 RhgHarGODi.exe 2->9         started        process3 signatures4 54 Writes to foreign memory regions 9->54 56 Allocates memory in foreign processes 9->56 58 Injects a PE file into a foreign processes 9->58 12 InstallUtil.exe 20 9->12         started        process5 dnsIp6 34 t.me 149.154.167.99, 443, 49693 TELEGRAMRU United Kingdom 12->34 36 transfer.sh 144.76.136.153, 443, 49695 HETZNER-ASDE Germany 12->36 38 91.107.229.205, 49694, 80 HETZNER-ASDE Germany 12->38 32 C:\ProgramData\89439338287366657860.exe, PE32+ 12->32 dropped 60 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->60 62 Tries to harvest and steal browser information (history, passwords, etc) 12->62 64 Tries to steal Crypto Currency Wallets 12->64 17 89439338287366657860.exe 12->17         started        20 cmd.exe 1 12->20         started        file7 signatures8 process9 signatures10 40 Antivirus detection for dropped file 17->40 42 Multi AV Scanner detection for dropped file 17->42 44 Tries to harvest and steal browser information (history, passwords, etc) 17->44 22 cmd.exe 1 17->22         started        24 conhost.exe 20->24         started        26 timeout.exe 1 20->26         started        process11 process12 28 conhost.exe 22->28         started        30 choice.exe 1 22->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ed279a6de558b31e93b310ca21564c42431fea11bb55794f8c28126dc1fe1fd/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2023-04-03 18:03:08 UTC
File Type:
PE (Exe)
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p3jhtjw6kwftd2j3gegkefleyqsdd7vbdo2vpfhyykasnxa74h6q._file
Verdict:
malicious
Similar samples:
3938e9e23562cf722e3bb98f6289351ff1ce0938f65177d3b581de5c763e90c4
Vidar
d86b56fbb2ae739877ad2143f719b0c60df88b6d773c9f837f8490fb157ec165
Vidar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1e6f203d28d0cd17be85912cc7cd240d spyware stealer
Link:
https://tria.ge/reports/230403-wm1hwsgc86/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Vidar
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199492257783
https://t.me/justsometg
Unpacked files
SH256 hash:
7e11627af3d63b6d47fcaa60931573d357c334c073378ba91633a11c954152c1
MD5 hash:
bf1af55c8812a9e6d501e2848f61adca
SHA1 hash:
d2d8b184c6a591f5affb65ecb37fddfb2b2fdb86
Link:
https://www.unpac.me/results/80af459b-6881-42a3-bb5e-09f4d18350e1/
SH256 hash:
7ed279a6de558b31e93b310ca21564c42431fea11bb55794f8c28126dc1fe1fd
MD5 hash:
58f16cc21973f83ce13d2b4271d39b42
SHA1 hash:
a78a0c627e1d469cb5404a41f07c2d3a38840bad
Link:
https://www.unpac.me/results/80af459b-6881-42a3-bb5e-09f4d18350e1/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7ed279a6de55/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ed279a6de558b31e93b310ca21564c42431fea11bb55794f8c28126dc1fe1fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/379764/

Comments