MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f0d2909498e32a88ea7a3873958edd5456e0d9d3e766ce7c8bcc303f67d8984. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f0d2909498e32a88ea7a3873958edd5456e0d9d3e766ce7c8bcc303f67d8984
SHA3-384 hash: 48ce30dc011663bd33d3da63f0056b2426f255ae08cdf8680bbf68b8d10241b25587a9d64a97db3ccacbfa2b8a2ceae7
SHA1 hash: 37157d94c22ddb5be80fb164fab68faede2711e6
MD5 hash: dcd26511183f2d7eb30678661a88b765
humanhash: zulu-glucose-leopard-delta
File name:Setup.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:475'066 bytes
First seen:2023-02-21 03:59:53 UTC
Last seen:2023-02-21 05:28:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b5a3fed1fa478a521df07472d5a7b200 (1 x Vidar, 1 x Rhadamanthys, 1 x RedLineStealer)
ssdeep 12288:LscjpZYrzMP41INt4WxGaZG3oBHgOmZndxwUnM:LscVZYD1iGWxZiQcrxHM
Threatray 1'345 similar samples on MalwareBazaar
TLSH T162A4E022A38904A5F364EAF2CCB2BEB044AD0479559F717AFF7C8B9017A43D6C791187
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter Chainskilabs
Tags:exe vidar

Intelligence

File Origin
# of uploads :
2
# of downloads :
252
Origin country :
US US
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2023-02-21 04:02:03 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/c264b82e-6f77-4c8e-953a-a6843670f2a2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/368543/
Detection(s):
SecuriteInfo.com.Variant.Zusy.450960.31812.32215.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/71901/overview
Behaviour
MalwareBazaar
SystemUptime
CPUID_Instruction
MeasuringTime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63f441c59dd875fc9126c711/reports/6e8c95be-3503-45b2-bfa8-a068965253b1/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/8f0d2909498e32a88ea7a3873958edd5456e0d9d3e766ce7c8bcc303f67d8984
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a0aa074a-6aae-49c3-90da-087b23c19242
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1179542
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 812368 Sample: Setup.exe Startdate: 21/02/2023 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 6 other signatures 2->43 8 Setup.exe 1 2->8         started        process3 signatures4 49 Writes to foreign memory regions 8->49 51 Allocates memory in foreign processes 8->51 53 Injects a PE file into a foreign processes 8->53 11 AppLaunch.exe 22 8->11         started        16 conhost.exe 8->16         started        process5 dnsIp6 31 78.46.254.12, 49699, 80 HETZNER-ASDE Germany 11->31 33 t.me 149.154.167.99, 443, 49698 TELEGRAMRU United Kingdom 11->33 35 cdn.discordapp.com 162.159.130.233, 443, 49700 CLOUDFLARENETUS United States 11->35 27 C:\Users\user\AppData\Local\...\bildkk[1].exe, PE32+ 11->27 dropped 29 C:\ProgramData\02820059840067091732.exe, PE32+ 11->29 dropped 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->55 57 Tries to steal Mail credentials (via file / registry access) 11->57 59 Tries to harvest and steal browser information (history, passwords, etc) 11->59 61 2 other signatures 11->61 18 02820059840067091732.exe 11->18         started        21 cmd.exe 1 11->21         started        file7 signatures8 process9 signatures10 45 Multi AV Scanner detection for dropped file 18->45 47 Tries to harvest and steal browser information (history, passwords, etc) 18->47 23 conhost.exe 21->23         started        25 timeout.exe 1 21->25         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f0d2909498e32a88ea7a3873958edd5456e0d9d3e766ce7c8bcc303f67d8984/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-02-21 04:00:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r4gssckjryzkrdvhuodtswhn2vcw4dm5hz3gzz6ixtbqh5t5rgca._file
Verdict:
malicious
Similar samples:
12b053ff554ab6a4db909b0ee33f419b09f1f0f8a6612ae9773db3451e6d166a
Vidar
1e1a94b620ca832df3db9166c3cdb3e2e4da334c04ed6301a7da4ecea586bb12
Vidar
3e38c14c9a27966b7768fa6a61a0bc86b79fdf8f554d232c26d0a13cd8dcdc36
Vidar
405c9f6e9b379914b66eedba3ba0fca6437ebbd4874c066c5cf6b32ea10c079d
Vidar
9f1ea67ba5281a92142a5daf50f99030fa7778ffeaf2a33c109a4bc95daeb453
Vidar
ad4e377633b5f0a87ad2a4a6b741615016de79605225737fc4ba5c70308c5e68
Vidar
c3ac86b3dfaed540a466f230e12c3f12c56e10755b6d5d195001ca5523d80fa4
Vidar
e282e8a40a9f9c66e32ff63aa62ea236f642110e79047a3c3d00428df09536a6
Vidar
eddd58f52fc1ead5886f788892412d23a0fa5fc4c76af2548ea7321c2f6c4d9c
Vidar
+ 1'335 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:408 spyware stealer upx
Link:
https://tria.ge/reports/230221-ekm2cade88/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Downloads MZ/PE file
Vidar
Unpacked files
SH256 hash:
279fff770c6678a1839799bd83aa9ace0c78380b9f93bd4b4a689c245382b4e6
MD5 hash:
c404e69187afab5fd694570220660576
SHA1 hash:
ae808badd6813b5b98c10255239983a3d504d08c
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/21551d30-2f3e-4fc4-b5ba-eec1ca28bc71/
Parent samples :
e282e8a40a9f9c66e32ff63aa62ea236f642110e79047a3c3d00428df09536a6
8f0d2909498e32a88ea7a3873958edd5456e0d9d3e766ce7c8bcc303f67d8984
SH256 hash:
8f0d2909498e32a88ea7a3873958edd5456e0d9d3e766ce7c8bcc303f67d8984
MD5 hash:
dcd26511183f2d7eb30678661a88b765
SHA1 hash:
37157d94c22ddb5be80fb164fab68faede2711e6
Link:
https://www.unpac.me/results/21551d30-2f3e-4fc4-b5ba-eec1ca28bc71/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8f0d2909498e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.46
Link:
https://yomi.yoroi.company/submissions/8f0d2909498e32a88ea7a3873958edd5456e0d9d3e766ce7c8bcc303f67d8984

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/368543/

Comments