MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84fc76615347be1aea7e2a4625c7cf5973cee76865bd85c0da51e5303d242cb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 12

Intelligence 12 IOCs YARA 6 File information Comments

SHA256 hash:	84fc76615347be1aea7e2a4625c7cf5973cee76865bd85c0da51e5303d242cb4
SHA3-384 hash:	720e8fca4f1cf22ec669bb53554519c95d3ce009057a8321f1189e699957ccc2f49541a2195d58047daf9e7eeca06c83
SHA1 hash:	3e657e69e5c3b3a9e0ed5354e8f28a80b3552599
MD5 hash:	de27e688202b4fc37b916962b4060c67
humanhash:	three-mirror-pip-three
File name:	SecuriteInfo.com.Win32.PWSX-gen.24892.333
Download:	download sample
Signature	Vidar Create hunting rule
File size:	565'760 bytes
First seen:	2023-05-17 08:30:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:HRGpxihymbN0LZO33/gXWT5mBxgTi4Gp/A+u:xGpx8yPLZ2/ga5mBKTcRAP
Threatray	10 similar samples on MalwareBazaar
TLSH	T1DEC4D0E13238A48FEAB5887454014F401EE5EC67957A730FD9E97F2B443E3D2298B663
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	70f0f894cce87130 (1 x Vidar, 1 x RedLineStealer)
Reporter	SecuriteInfoCom
Tags:	exe vidar

Intelligence

File Origin

# of uploads :

# of downloads :

281

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.PWSX-gen.24892.333

Verdict:

Malicious activity

Analysis date:

2023-05-17 08:31:52 UTC

Tags:

stealer

Link:

https://app.any.run/tasks/91e952bb-7367-402b-be56-10519889436b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/390611/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.24892.333.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Reading critical registry keys

Using the Windows Management Instrumentation requests

Creating a window

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm obfuscated packed packed

Link:

https://www.filescan.io/uploads/646490923102425a10e18f92/reports/31125691-c810-4e57-a85a-c7f957d2e84d/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/84fc76615347be1aea7e2a4625c7cf5973cee76865bd85c0da51e5303d242cb4

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d86190c0-0e6e-49c1-b280-ba69a8901b66

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1235057

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/84fc76615347be1aea7e2a4625c7cf5973cee76865bd85c0da51e5303d242cb4/

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qt6hmykti67bv2t6fjdclr6plfz45z3imw6ylqg2khstapjefs2a._file

Verdict:

malicious

Vidar

45ac86c9c4501113f3912d513270d66a5c7bf5a6edb0a89fbb23965271b1049f

Vidar

784bb9d5ac9ba16cbfb56d482be25437effc2cca13120d5947782d7f1974ae46

Vidar

7ed279a6de558b31e93b310ca21564c42431fea11bb55794f8c28126dc1fe1fd

Vidar

bccd81dfc84e37c77d12fc1a145b6854962eee72ac1b73013473022562c04d27

Vidar

d481da91692bf781cefe21ee5fbc3b22423df3370284c0d591959334b5185a06

Vidar

d86b56fbb2ae739877ad2143f719b0c60df88b6d773c9f837f8490fb157ec165

Vidar

e31e544efa2ec5206c6e96340a4d85282ac0dfce7f96134965c2f576a71d07d6

Vidar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:da3b70a6d41764717ff479f0edd50071 discovery spyware stealer

Link:

https://tria.ge/reports/230517-kd7p3aec75/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Vidar

Malware Config

C2 Extraction:

https://steamcommunity.com/profiles/76561199263069598
https://t.me/cybehost

Unpacked files

SH256 hash:

094d4e544440a83ba7b6acbcee2530ab8422d9bc4b3ddcc013053b9c12bd464e

MD5 hash:

22f446d2ca848ea9a6351c990a8d8a32

SHA1 hash:

8fc221102b75a3da355dbe7c23ef348b8dfac653

Detections:

VidarStealer

Link:

https://www.unpac.me/results/8e79c62d-be6d-41f3-b13e-91f77b58e146/

SH256 hash:

84fc76615347be1aea7e2a4625c7cf5973cee76865bd85c0da51e5303d242cb4

MD5 hash:

de27e688202b4fc37b916962b4060c67

SHA1 hash:

3e657e69e5c3b3a9e0ed5354e8f28a80b3552599

Link:

https://www.unpac.me/results/8e79c62d-be6d-41f3-b13e-91f77b58e146/

Malware family:

Vidar.A

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/84fc76615347/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	has_telegram_urls Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_Links Create hunting rule

Rule name:	Vidar Create hunting rule
Author:	kevoreilly,rony
Description:	Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

exe 84fc76615347be1aea7e2a4625c7cf5973cee76865bd85c0da51e5303d242cb4

(this sample)

Cape

https://www.capesandbox.com/analysis/390611/

URLhaus

https://urlhaus.abuse.ch/url/2635315/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample