MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8593a9f9ddccadf6227d6fa9c75ba6b53bc614d91ca23c72dbf1238beac0c7b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	8593a9f9ddccadf6227d6fa9c75ba6b53bc614d91ca23c72dbf1238beac0c7b0
SHA3-384 hash:	1d4884a825cd03bda2124484abd76ee604c675e4874196d51c32fa456fa78bd95ff81e43fdc2b85149beec5f58036d6d
SHA1 hash:	bbbdc6d695d6a981db24801bbe9a8dd7268f138d
MD5 hash:	0f111a864fe0ce8d53490cad2c07e9b8
humanhash:	aspen-black-saturn-three
File name:	Setup.exe
Download:	download sample
Signature	Vidar Create hunting rule
File size:	7'127'552 bytes
First seen:	2024-08-21 07:19:26 UTC
Last seen:	2024-08-21 08:53:56 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3157be06ba85c3cd63f0869690bcf412 (1 x Vidar)
ssdeep	49152:sTM8odx4PYInPYXQYS349o00xbO0pL0p2KHPwuoeohOTCgaRS6YdlcWUlOcYpP99:Q0noeoh5gaRS62cWUlcploE5AGP+Xh
TLSH	T111767C7B33A4826DC56E823BD4A38F01E933B0B54B33C6E7139116695F566C85E3EB21
TrID	77.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 14.1% (.EXE) Win64 Executable (generic) (10523/12/4) 2.7% (.EXE) OS/2 Executable (generic) (2029/13) 2.6% (.EXE) Generic Win/DOS Executable (2002/3) 2.6% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	e9e2eae6b696c6ec (11 x LummaStealer, 4 x Vidar, 2 x FickerStealer)
Reporter	abuse_ch
Tags:	exe vidar

Intelligence

File Origin

# of uploads :

# of downloads :

387

Origin country :

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

Setup.exe

Verdict:

Malicious activity

Analysis date:

2024-08-21 08:16:11 UTC

Tags:

telegram vidar stealer

Link:

https://app.any.run/tasks/c6633907-ca99-41ba-ad36-40f9a652a199

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win64.Malware-gen.2755.10712.UNOFFICIAL

Verdict:

Malicious

Score:

95.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66c5952ab2a4681a72966a8b

Tags:

Vidar

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

embarcadero_delphi expand fingerprint infostealer keylogger lolbin packed vidar

Link:

https://www.filescan.io/uploads/66c59529ee5a3692149d184b/reports/b759b235-ef11-4900-bbd6-8c5072d9aaeb/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/8593a9f9ddccadf6227d6fa9c75ba6b53bc614d91ca23c72dbf1238beac0c7b0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/05cc3590-69da-4cd3-8988-2b50f2dd6b36

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1496444

Signature

AI detected suspicious sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Found malware configuration

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Yara detected Powershell download and execute

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

37%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/8593a9f9ddccadf6227d6fa9c75ba6b53bc614d91ca23c72dbf1238beac0c7b0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8593a9f9ddccadf6227d6fa9c75ba6b53bc614d91ca23c72dbf1238beac0c7b0/

Threat name:

Win64.Spyware.Vidar

Status:

Suspicious

First seen:

2024-06-29 14:47:05 UTC

File Type:

PE+ (Exe)

Extracted files:

129

AV detection:

19 of 38 (50.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qwj2t6o5zsw7mit5n6u4ow5gwu54mfgzdsrdy4w36eryx2way6ya._file

Verdict:

malicious

Result

Malware family:

vidar

Score:

10/10

Tags:

family:stealc family:vidar credential_access discovery spyware stealer

Link:

https://tria.ge/reports/240821-h54rdazcln/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Checks installed software on the system

Checks computer location settings

Loads dropped DLL

Reads data files stored by FTP clients

Unsecured Credentials: Credentials In Files

Detect Vidar Stealer

Stealc

Vidar

Malware Config

C2 Extraction:

https://t.me/g067n
https://steamcommunity.com/profiles/76561199707802586

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/3c2013c0-c84d-4992-b1dd-88fbee0d153b

Unpacked files

SH256 hash:

8593a9f9ddccadf6227d6fa9c75ba6b53bc614d91ca23c72dbf1238beac0c7b0

MD5 hash:

0f111a864fe0ce8d53490cad2c07e9b8

SHA1 hash:

bbbdc6d695d6a981db24801bbe9a8dd7268f138d

Link:

https://www.unpac.me/results/a6fef4a3-0dc6-403b-ae43-22739ba91636/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8593a9f9ddcc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8593a9f9ddccadf6227d6fa9c75ba6b53bc614d91ca23c72dbf1238beac0c7b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance ole32.dll::CreateStreamOnHGlobal
GDI_PLUS_API	Interfaces with Graphics	gdiplus.dll::GdiplusStartup gdiplus.dll::GdiplusShutdown gdiplus.dll::GdipDeleteGraphics gdiplus.dll::GdipAlloc gdiplus.dll::GdipCreateFromHDC
MULTIMEDIA_API	Can Play Multimedia	winmm.dll::PlaySoundW gdi32.dll::StretchDIBits
SECURITY_BASE_API	Uses Security Base API	advapi32.dll::AdjustTokenPrivileges
SHELL_API	Manipulates System Shell	shell32.dll::ShellExecuteW shell32.dll::SHGetFileInfoW
WIN32_PROCESS_API	Can Create Process and Threads	advapi32.dll::OpenProcessToken kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExW kernel32.dll::LoadLibraryA kernel32.dll::LoadLibraryW kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoW kernel32.dll::GetDiskFreeSpaceW
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateFileW kernel32.dll::GetFileAttributesW kernel32.dll::FindFirstFileW version.dll::GetFileVersionInfoSizeW version.dll::GetFileVersionInfoW
WIN_BASE_USER_API	Retrieves Account Information	advapi32.dll::LookupPrivilegeValueW
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegCreateKeyExW advapi32.dll::RegOpenKeyExW advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExW advapi32.dll::RegQueryValueExA advapi32.dll::RegSetValueExW
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::EmptyClipboard user32.dll::FindWindowExW user32.dll::FindWindowW user32.dll::LockWorkStation

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample