MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8defddf3ccf1ca34a7338088a7c98f08569532d0474a5221533b715364921f86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 13

Intelligence 13 IOCs YARA 9 File information Comments

SHA256 hash:	8defddf3ccf1ca34a7338088a7c98f08569532d0474a5221533b715364921f86
SHA3-384 hash:	dbd0ca44ab8752ec51f6a14172e9ff9267e33f92690624633954a21f69c42e7c5c75a70ca4834199c8cb7391c623e735
SHA1 hash:	8cbcb3514fd4d6fa96d381872044785172d3cd38
MD5 hash:	69b35056fa8377916fd5352ad665221e
humanhash:	mobile-lake-hotel-charlie
File name:	file
Download:	download sample
Signature	Vidar Create hunting rule
File size:	3'815'648 bytes
First seen:	2023-10-29 00:40:34 UTC
Last seen:	2023-10-29 22:33:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	87d0737459c3ebc7de35794db4768b2f (6 x Vidar, 2 x CoinMiner, 1 x Smoke Loader)
ssdeep	49152:9pOoRzMqCUn7xYdZlmQp/8/mm9/zSrzA/atbpHc/109nSJTl0pox+GgLOz+q6JPf:mtufEJMlwZJ
TLSH	T1F9062A60D34199E5C297C030CD9A4FF4A5E2743B82355B0F1A84DD272DFAF61AFAD292
TrID	53.0% (.EXE) InstallShield setup (43053/19/16) 20.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 12.9% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 2.4% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	andretavare5
Tags:	exe signed vidar

Code Signing Certificate

Organisation:	Microsoft Code Signing PCA 2011
Issuer:	Microsoft Code Signing PCA 2011
Algorithm:	sha256WithRSAEncryption
Valid from:	2023-10-29T00:10:17Z
Valid to:	2024-10-29T00:10:17Z
Serial number:	f3a91b70701699415e31741cf6a5e8b3
Thumbprint Algorithm:	SHA256
Thumbprint:	91653d8c93bf6bf7dda0e929a9565ce5cbcb25f389ea4453ed6a80b28a26fcaa
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

andretavare5

Sample downloaded from http://171.22.28.221/files/Ads.exe

Intelligence

File Origin

# of uploads :

# of downloads :

341

Origin country :

Vendor Threat Intelligence

Malware family:

arkei

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-10-29 00:53:47 UTC

Tags:

sinkhole opendir loader stealer arkei vidar privateloader evasion onlylogger smoke lumma stealc redline amadey botnet trojan ransomware stop risepro

Link:

https://app.any.run/tasks/e8684105-0a05-4356-9518-e26fa4906243

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/456861/

Detection(s):

SecuriteInfo.com.Win64.PWSX-gen.29567.8061.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Connecting to a non-recommended domain

Creating a file

Searching for synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Creating a window

Creating a file in the %AppData% subdirectories

Running batch commands

Query of malicious DNS domain

Sending a TCP request to an infection source

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Sending an HTTP GET request to an infection source

Enabling autorun by creating a file

Adding an exclusion to Microsoft Defender

Gathering data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control greyware hacktool lolbin overlay packed remote

Link:

https://www.filescan.io/uploads/653daa1f0ca0b0185170e94d/reports/ded46cfa-38cc-401e-9a5d-accde61b09fc/overview

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/8defddf3ccf1ca34a7338088a7c98f08569532d0474a5221533b715364921f86

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/022f1eda-e0ec-4541-8b3c-3f0691d85c2f

Score:

87%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/8defddf3ccf1ca34a7338088a7c98f08569532d0474a5221533b715364921f86

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8defddf3ccf1ca34a7338088a7c98f08569532d0474a5221533b715364921f86/

Threat name:

Win64.Trojan.Privateloader

Status:

Malicious

First seen:

2023-10-29 00:41:06 UTC

File Type:

PE+ (Exe)

AV detection:

16 of 23 (69.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rxx5346m6hfdjjztqcekpsmpbbljkmwqi5ffeikthnyvgzesd6da._file

Result

Malware family:

vidar

Score:

10/10

Tags:

family:dcrat family:glupteba family:smokeloader family:vidar botnet:ecfea5e785cf6eb1f47a5865492bbbb3 botnet:pub1 backdoor discovery dropper evasion infostealer loader rat spyware stealer trojan upx vmprotect

Link:

https://tria.ge/reports/231029-a1rx1sea4w/

Behaviour

Creates scheduled task(s)

Delays execution with timeout.exe

Enumerates system info in registry

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Enumerates physical storage devices

Drops file in Program Files directory

Launches sc.exe

Drops file in System32 directory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Checks BIOS information in registry

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

VMProtect packed file

Downloads MZ/PE file

Drops file in Drivers directory

Modifies Windows Firewall

Stops running service(s)

DcRat

Glupteba

Glupteba payload

SmokeLoader

Suspicious use of NtCreateUserProcessOtherParentProcess

Vidar

Malware Config

C2 Extraction:

https://steamcommunity.com/profiles/76561199564671869
https://t.me/scubytale
http://host-file-host6.com/
http://host-host-file8.com/

Unpacked files

SH256 hash:

8defddf3ccf1ca34a7338088a7c98f08569532d0474a5221533b715364921f86

MD5 hash:

69b35056fa8377916fd5352ad665221e

SHA1 hash:

8cbcb3514fd4d6fa96d381872044785172d3cd38

Link:

https://www.unpac.me/results/9a092f6f-c1d7-4194-ba69-9a3d35d2cfa8/

Malware family:

Vidar.A

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8defddf3ccf1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.79

Link:

https://yomi.yoroi.company/submissions/8defddf3ccf1ca34a7338088a7c98f08569532d0474a5221533b715364921f86

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__MemoryWorkingSet Create hunting rule
Author:	Fernando Mercês
Description:	Anti-debug process memory working set size check
Reference:	http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2721934/

Cape

https://www.capesandbox.com/analysis/456861/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample